LoFP LoFP / aws instance

TitleTags
it's possible that a new user will start to modify ec2 instances when they haven't before for any number of reasons. verify with the user that is modifying instances that this is the intended behavior.
it's possible that a user has legitimately deleted a network acl.
it's possible that an admin has created this acl with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.
none.
the false-positive rate may vary based on the values of`datapointthreshold` and `deviationthreshold`. additionally, false positives may result when aws administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.
this is a strictly behavioral search, so we define \"false positive\" slightly differently. every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. but while there are really no \"false positives\" in a traditional sense, there is definitely lots of noise. this search will fire any time a new ip address is seen in the **geoip** database for any kind of provisioning activity. if you typically do all provisioning from tools inside of your country, there should be few false positives. if you are located in countries where the free version of **maxmind geoip** that ships by default with splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.
using multiple aws accounts and roles is perfectly valid behavior. it's suspicious when an account requests privileges of an account it hasn't before. you should validate with the account owner that this is a legitimate request.
when a legitimate new user logins for the first time, this activity will be detected. check how old the account is and verify that the user activity is legitimate.