it is possible that a user downloaded these files to use them locally and there are aws services in configured that perform these activities for a legitimate reason. filter is needed.

t1119
aws account
splunk

Techniques

T1119

Sample rules

AWS Exfiltration via Anomalous GetObject API Activity

source: splunk
technicques:
- T1119

Description

This search uses built in Splunk command | anomalydetection to detect anomalies with respect to users making high number of GetObject API calls to download objects from S3 in a 10 minute time window. The field probable_cause is the name of the field that best explains why the event is anomalous. This command identifies anomalous events by computing a probability for each GetObject event by “count” “user_type” “user_arn” and detects anomaly based on the frequencies.

Detection logic

`cloudtrail` eventName=GetObject 
| bin _time span=10m 
|  stats count values(requestParameters.bucketName) as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId 
| anomalydetection "count" "user_type" "user_arn" action=annotate 
| search probable_cause=* 
|`aws_exfiltration_via_anomalous_getobject_api_activity_filter`