Techniques
Sample rules
Detect Spike in S3 Bucket deletion
- source: splunk
- technicques:
- T1530
Description
The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity.
Detection logic
`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket
| spath output=arn path=userIdentity.arn
| stats count as apiCalls by arn
| inputlookup s3_deletion_baseline append=t
| fields - latestCount
| stats values(*) as * by arn
| rename apiCalls as latestCount
| eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720
| eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720))
| eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1)
| table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls
| outputlookup s3_deletion_baseline
| eval dataPointThreshold = 15, deviationThreshold = 3
| eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0)
| where isSpike=1
| rename arn as userIdentity.arn
| table userIdentity.arn]
| spath output=user userIdentity.arn
| spath output=bucketName path=requestParameters.bucketName
| stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user
| `detect_spike_in_s3_bucket_deletion_filter`