Techniques
Sample rules
ASL AWS Excessive Security Scanning
- source: splunk
- technicques:
- T1526
Description
This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.
Detection logic
`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get*
| stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name
| where dc_api_operations > 50
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`asl_aws_excessive_security_scanning_filter`
AWS Excessive Security Scanning
- source: splunk
- technicques:
- T1526
Description
The following analytic identifies excessive security scanning activities in AWS by detecting a high number of Describe, List, or Get API calls from a single user. It leverages AWS CloudTrail logs to count distinct event names and flags users with more than 50 such events. This behavior is significant as it may indicate reconnaissance activities by an attacker attempting to map out your AWS environment. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further exploitation of your cloud infrastructure.
Detection logic
`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get*
| stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as command values(src) as src values(userAgent) as userAgent by user userIdentity.arn
| where dc_events > 50
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|`aws_excessive_security_scanning_filter`