s3 buckets can be accessed from any ip, as long as it can make a successful connection. this will be a false postive, since the search is looking for a new ip within the past hour

Techniques

T1530

Sample rules

Detect S3 access from a new IP

source: splunk
technicques:
- T1530

Description

This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket.

Detection logic

`aws_s3_accesslogs` http_status=200  [search `aws_s3_accesslogs` http_status=200 
| stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip 
| inputlookup append=t previously_seen_S3_access_from_remote_ip 
| stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip 
| outputlookup previously_seen_S3_access_from_remote_ip
| eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) 
| where newIP=1 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| table bucket_name remote_ip]
| iplocation remote_ip 
|rename remote_ip as src_ip 
| table _time bucket_name src_ip City Country operation request_uri 
| `detect_s3_access_from_a_new_ip_filter`