it's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. if the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.

t1078.004
aws instance
splunk

Techniques

T1078.004

Sample rules

Detect AWS API Activities From Unapproved Accounts

source: splunk
technicques:
- T1078.004

Description

This search looks for successful AWS CloudTrail activity by user accounts that are not listed in the identity table or aws_service_accounts.csv. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard.

Detection logic

`cloudtrail` errorCode=success 
| rename userName as identity 
| search NOT [
| inputlookup identity_lookup_expanded 
| fields identity] 
| search NOT [
| inputlookup aws_service_accounts 
| fields identity] 
| rename identity as user 
| stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_aws_api_activities_from_unapproved_accounts_filter`