/
detect_spike_in_blocked_outbound_traffic_from_your_aws.yml
68 lines (68 loc) · 3.58 KB
/
detect_spike_in_blocked_outbound_traffic_from_your_aws.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: Detect Spike in blocked Outbound Traffic from your AWS
id: d3fffa37-492f-487b-a35d-c60fcb2acf01
version: 1
date: '2018-05-07'
author: Bhavin Patel, Splunk
status: experimental
type: Anomaly
description: This search will detect spike in blocked outbound network connections
originating from within your AWS environment. It will also update the cache file
that factors in the latest data.
data_source: []
search: '`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12
OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow`
action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16)
( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) |
stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections
append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections
as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720
| eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720))
| eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections),
stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections),
numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip,
latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup
baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold
= 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections)
AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip]
| stats values(dest_ip) as dest_ip, values(interface_id) as "resourceId"
count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip
| `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow
logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit
your environment. The `dataPointThreshold` variable is the number of data points
required to meet the definition of "spike." The `deviationThreshold` variable is
the number of standard deviations away from the mean that the value must be to be
considered a spike. This search works best when you run the "Baseline of Blocked
Outbound Connection" support search once to create a history of previously seen
blocked outbound connections.
known_false_positives: The false-positive rate may vary based on the values of`dataPointThreshold`
and `deviationThreshold`. Additionally, false positives may result when AWS administrators
roll out policies enforcing network blocks, causing sudden increases in the number
of blocked outbound connections.
references: []
tags:
analytic_story:
- AWS Network ACL Activity
- Suspicious AWS Traffic
- Command And Control
asset_type: AWS Instance
confidence: 50
impact: 50
message: Blocked outbound traffic from your AWS
observable:
- name: resourceId
type: Other
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- action
- src_ip
- dest_ip
risk_score: 25.0
security_domain: network