Techniques
Sample rules
Detect Spike in S3 Bucket deletion
- source: splunk
- technicques:
- T1530
Description
This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data.
Detection logic
`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket
| spath output=arn path=userIdentity.arn
| stats count as apiCalls by arn
| inputlookup s3_deletion_baseline append=t
| fields - latestCount
| stats values(*) as * by arn
| rename apiCalls as latestCount
| eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720
| eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720))
| eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1)
| table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls
| outputlookup s3_deletion_baseline
| eval dataPointThreshold = 15, deviationThreshold = 3
| eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0)
| where isSpike=1
| rename arn as userIdentity.arn
| table userIdentity.arn]
| spath output=user userIdentity.arn
| spath output=bucketName path=requestParameters.bucketName
| stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user
| `detect_spike_in_s3_bucket_deletion_filter`
Detect Spike in Security Group Activity
- source: splunk
- technicques:
- T1078.004
Description
This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.
Detection logic
`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls`
| spath output=arn path=userIdentity.arn
| stats count as apiCalls by arn
| inputlookup security_group_activity_baseline append=t
| fields - latestCount
| stats values(*) as * by arn
| rename apiCalls as latestCount
| eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720
| eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720))
| eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1)
| table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls
| outputlookup security_group_activity_baseline
| eval dataPointThreshold = 15, deviationThreshold = 3
| eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0)
| where isSpike=1
| rename arn as userIdentity.arn
| table userIdentity.arn]
| spath output=user userIdentity.arn
| stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user
| `detect_spike_in_security_group_activity_filter`