Skip to main content

 

Splunk Lantern

Monitoring AWS and AWS Elastic Compute Cloud (EC2) for suspicious login activities

 

You are an Amazon Web Services (AWS) admin who manages access to AWS resources and services across your organization. As part of your role, you need to monitor your AWS authentication events using your CloudTrail logs. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any instances created by the attacker. 

These searches will help you detect suspicious logins to your AWS infrastructure, helping you stay aware of and investigate this potential threat.

How to use Splunk software for this use case

  • Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.
  • To optimize the searches, you should specify an index and a time range when appropriate. 
  • Install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

Support searches

► Previously seen users in CloudTrail

This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times you encountered this user in your dataset, grouped by Amazon Resource Name (ARN), within the last 30 days.

This support search outputs the lookup file previously_seen_users_console_logins.csv. Be sure to validate the user name entries in this file before using it for correlation in other searches.

sourcetype=aws:cloudtrail eventName=ConsoleLogin 
| rename userIdentity.arn AS arn 
| stats earliest(_time) AS earliest latest(_time) AS latest BY arn 
| outputlookup previously_seen_users_console_logins.csv 
| stats count

Detection searches

► AWS console login by user from new country
  • To successfully implement this search you need to be ingesting authentication logs from your various systems and populating the Authentication data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  • This search works best when you run the Previously seen users in CloudTrail support search to create a baseline of previously seen Identity and Access Management (IAM) users within the last 30 days.

 

This search looks for CloudTrail events where a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour.

| tstats allow_old_summaries=true earliest(_time) AS firstTime, latest(_time) AS lastTime FROM datamodel=Authentication WHERE "Authentication.signature"=ConsoleLogin BY "Authentication.user", "Authentication.src" 
| iplocation Authentication.src 
| rename "Authentication.*" AS "*" 
| table firstTime, lastTime, user, Country 
| join type=outer user [
| inputlookup previously_seen_users_console_logins 
| stats earliest(firstTime) AS earliestseen BY user Country 
| fields + earliestseen, user, Country] 
| eval userCountry=if((firstTime >= relative_time(now(),"-24h@h")),"New Country","Previously Seen Country") 
| eval userStatus=if(((earliestseen >= relative_time(now(),"-24h@h")) OR isnull(earliestseen)),"New User","Old User") 
| where ((userCountry == "New Country") AND (userStatus != "Old User")) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
 
► AWS console login by user from new city
  • To successfully implement this search you need to be ingesting authentication logs from your various systems and populating the Authentication data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  • This search works best when you run the Previously seen users in CloudTrail support search to create a baseline of previously seen Identity and Access Management (IAM) users within the last 30 days.

 

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour.

| tstats allow_old_summaries=true earliest(_time) AS firstTime, latest(_time) AS lastTime FROM datamodel=Authentication WHERE "Authentication.signature"=ConsoleLogin BY "Authentication.user", "Authentication.src" 
| iplocation Authentication.src 
| rename "Authentication.*" AS "*" 
| table firstTime, lastTime, user, City 
| join type=outer user [
| inputlookup previously_seen_users_console_logins 
| stats earliest(firstTime) AS earliestseen BY user City 
| fields + earliestseen, user, City] 
| eval userCity=if((firstTime >= relative_time(now(),"-24h@h")),"New City","Previously Seen City") 
| eval userStatus=if(((earliestseen >= relative_time(now(),"-24h@h")) OR isnull(earliestseen)),"New User","Old User") 
| where ((userCity == "New City") AND (userStatus != "Old User")) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 
| table firstTime, lastTime, user, City, userStatus, userCity
| search
 
► New user AWS console login

This search works best when you run the Previously seen users in CloudTrail support search to create a baseline of previously seen Identity and Access Management (IAM) users within the last 30 days.

 

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour.

In this search, you query CloudTrail logs to look for events that indicate that a user has attempted to log in to the AWS console and group the events using ARN value. Using the previously_seen_users_console_logins.csv lookup file created using the support search, you compare the ARN to all the previously seen users logging into the AWS console. The eval and if functions determine whether the earliest time you see this user ARN was within the last hour. The alert will be fired only when a user is seen for first time in the last hour.

sourcetype=aws:cloudtrail eventName=ConsoleLogin 
| rename userIdentity.arn AS arn  
| stats earliest(_time) AS earliest latest(_time) AS latest BY arn 
| inputlookup append=t previously_seen_users_console_logins.csv 
| stats min(earliest) AS earliest max(latest) AS latest BY arn 
| outputlookup previously_seen_users_console_logins.csv 
| eval userStatus=if(earliest >= relative_time(now(), "-1h@h"), "First Time Logging into AWS Console","Previously Seen User") 
| convert ctime(earliest) ctime(latest) 
| where userStatus ="First Time Logging into AWS Console"
 
► New user AWS EC2 console login

This search works best when you run the Previously seen users in CloudTrail support search to create a baseline of previously seen Identity and Access Management (IAM) users within the last 30 days.

 

This search looks for CloudTrail events where a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert fires if the user has logged into the console for the first time within the last hour.

In this search, you query CloudTrail logs to look for events that indicate that a user has attempted to log in to the AWS console and group the events using ARN value. Using the previously_seen_users_console_logins.csv lookup file created using the support search, you compare the ARN to all the previously seen users logging into the AWS console. The eval and if functions determine whether the earliest time you see this user ARN was seen within the last hour. The alert fires only when a user is seen for first time in the last hour.

When a legitimate new user logs in for the first time, this activity is detected. Check how old the account is and verify that the user activity is legitimate.

sourcetype=aws:cloudtrail userIdentity.sessionContext.attributes.mfaAuthenticated=false 
| search NOT [
| inputlookup aws_service_accounts 
| fields identity 
| rename identity as user]
| stats  count min(_time) AS firstTime max(_time) AS lastTime values(eventName) BY userIdentity.arn userIdentity.type user 
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime) 
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)

Investigative searches

► AWS investigate user activities by ARN

This search lists all the logged CloudTrail activities by a specific user ARN and creates a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and all the user's identity information.

| search sourcetype=aws:cloudtrail userIdentity.arn={arn} 
| table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType

Next steps

The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.

In addition, Splunk Enterprise Security provides a number of other searches to help reinforce your Cloud Security posture, including:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.