many service accounts configured within a cloud infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.

Techniques

Sample rules

Abnormally High Number Of Cloud Instances Destroyed

source: splunk
technicques:
- T1078.004
- T1078

Description

This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.

Detection logic


| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] 
| where cardinality >=16 
| apply cloud_excessive_instances_destroyed_v1 threshold=0.005 
| rename "IsOutlier(instances_destroyed)" as isOutlier 
| where isOutlier=1 
| eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) 
| eval distance_from_threshold = instances_destroyed - expected_upper_threshold 
| table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id 
| `abnormally_high_number_of_cloud_instances_destroyed_filter`