LoFP LoFP / many service accounts configured within an aws infrastructure are known to exhibit this behavior. please adjust the threshold values and filter out service accounts from the output. always verify if this search alerted on a human user.

Techniques

Sample rules

Abnormally High Number Of Cloud Instances Launched

Description

This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.

Detection logic


| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] 
| where cardinality >=16 
| apply cloud_excessive_instances_created_v1 threshold=0.005 
| rename "IsOutlier(instances_launched)" as isOutlier 
| where isOutlier=1 
| eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) 
| eval distance_from_threshold = instances_launched - expected_upper_threshold 
| table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id 
| `abnormally_high_number_of_cloud_instances_launched_filter`

Abnormally High AWS Instances Launched by User - MLTK

Description

This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.

Detection logic

`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` 
| bucket span=10m _time  
| stats count as instances_launched by _time src_user  
| apply ec2_excessive_runinstances_v1  
| rename "IsOutlier(instances_launched)" as isOutlier  
| where isOutlier=1

Abnormally High AWS Instances Launched by User

Description

This search looks for AWS CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel

Detection logic

`cloudtrail` eventName=RunInstances errorCode=success 
| bucket span=10m _time 
| stats count AS instances_launched by _time userName 
| eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev 
| eval threshold_value = 4 
| eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) 
| search isOutlier=1 AND _time >= relative_time(now(), "-10m@m") 
| eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) 
| table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev 
| `abnormally_high_aws_instances_launched_by_user_filter`

Abnormally High AWS Instances Terminated by User - MLTK

Description

This search looks for AWS CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.

Detection logic

`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` 
| bucket span=10m _time  
| stats count as instances_terminated by _time src_user  
| apply ec2_excessive_terminateinstances_v1  
| rename "IsOutlier(instances_terminated)" as isOutlier  
| where isOutlier=1