/
cloud_provisioning_activity_from_previously_unseen_city.yml
89 lines (88 loc) · 3.99 KB
/
cloud_provisioning_activity_from_previously_unseen_city.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: Cloud Provisioning Activity From Previously Unseen City
id: e7ecc5e0-88df-48b9-91af-51104c68f02f
version: 1
date: '2020-10-09'
author: Rico Valdez, Bhavin Patel, Splunk
status: production
type: Anomaly
description: This search looks for cloud provisioning activities from previously unseen
cities. Provisioning activities are defined broadly as any event that runs or creates
something.
data_source:
- AWS CloudTrail
search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change
where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success
by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command |
`drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(City) |
lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen,
enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 |
eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity
> relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) |
table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter`
| `security_content_ctime(firstTime)`'
how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud
provider. You should run the baseline search `Previously Seen Cloud Provisioning
Activity Sources - Initial` to build the initial table of source IP address, geographic
locations, and times. You must also enable the second baseline search `Previously
Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date
and to age out old data. You can adjust the time window for this search by updating
the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide
additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter`
macro.
known_false_positives: 'This is a strictly behavioral search, so we define "false
positive" slightly differently. Every time this fires, it will accurately reflect
the first occurrence in the time period you''re searching within, plus what is
stored in the cache feature. But while there are really no "false positives"
in a traditional sense, there is definitely lots of noise.
This search will fire any time a new IP address is seen in the **GeoIP** database for any kind
of provisioning activity. If you typically do all provisioning from tools inside
of your country, there should be few false positives. If you are located in countries
where the free version of **MaxMind GeoIP** that ships by default with Splunk
has weak resolution (particularly small countries in less economically powerful
regions), this may be much less valuable to you.'
references: []
tags:
analytic_story:
- Suspicious Cloud Provisioning Activities
asset_type: AWS Instance
confidence: 60
impact: 30
message: User $user$ is starting or creating an instance $object$ for the first time
in City $City$ from IP address $src$
mitre_attack_id:
- T1078
observable:
- name: user
type: User
role:
- Victim
- name: src
type: IP Address
role:
- Attacker
- name: object
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Changes.action
- All_Changes.status
- All_Changes.src
- All_Changes.user
- All_Changes.object
- All_Changes.command
risk_score: 18
security_domain: threat
manual_test: This search needs the baseline to be run first to create a lookup
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true