Skip to main content

 

Splunk Lantern

Monitoring AWS and AWS Elastic Compute Cloud (EC2) for suspicious login activities

Applicability

Scenario

You are an Amazon Web Services (AWS) admin who manages access to AWS resources and services across your organization. As part of your role, you need to monitor your AWS authentication events using your CloudTrail logs. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any instances created by the attacker. 

These searches will help you detect suspicious logins to your AWS infrastructure, helping you stay aware of and investigate this potential threat.

  • Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate. 
  • To run these searches, install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), and configure your CloudTrail inputs.

Support searches

► Previously seen users in CloudTrail

This search looks for CloudTrail events where a user logs into the console, then creates a baseline of the latest and earliest times you encountered this user in your dataset, grouped by Amazon Resource Name (ARN), within the last 30 days.

This support search outputs the lookup file previously_seen_users_console_logins.csv. Be sure to validate the user name entries in this file before using it for correlation in other searches.

sourcetype=aws:cloudtrail eventName=ConsoleLogin 
| rename userIdentity.arn AS arn 
| stats earliest(_time) AS earliest latest(_time) AS latest BY arn 
| outputlookup previously_seen_users_console_logins.csv 
| stats count

Detection searches

► Detect AWS console login by user from new country
  • To successfully implement this search you need to be ingesting authentication logs from your various systems and populating the Authentication data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  • This search works best when you run the Previously seen users in CloudTrail support search to create a baseline of previously seen Identity and Access Management (IAM) users within the last 30 days.

 

This search looks for CloudTrail events where a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour.

Run the Previously seen users in CloudTrail support search to create a baseline of previously seen IAM users within the last 30 days.

| tstats allow_old_summaries=true earliest(_time) AS firstTime, latest(_time) AS lastTime FROM datamodel=Authentication WHERE "Authentication.signature"=ConsoleLogin BY "Authentication.user", "Authentication.src" 
| iplocation Authentication.src 
| rename "Authentication.*" AS "*" 
| table firstTime, lastTime, user, Country 
| join type=outer user [
| inputlookup previously_seen_users_console_logins 
| stats earliest(firstTime) AS earliestseen BY user Country 
| fields + earliestseen, user, Country] 
| eval userCountry=if((firstTime >= relative_time(now(),"-24h@h")),"New Country","Previously Seen Country") 
| eval userStatus=if(((earliestseen >= relative_time(now(),"-24h@h")) OR isnull(earliestseen)),"New User","Old User") 
| where ((userCountry == "New Country") AND (userStatus != "Old User")) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
 
► Detect AWS console login by user from new city
  • To successfully implement this search you need to be ingesting authentication logs from your various systems and populating the Authentication data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  • This search works best when you run the Previously seen users in CloudTrail support search to create a baseline of previously seen Identity and Access Management (IAM) users within the last 30 days.

 

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour.

Run the Previously seen users in CloudTrail support search to create a baseline of previously seen IAM users within the last 30 days.

| tstats allow_old_summaries=true earliest(_time) AS firstTime, latest(_time) AS lastTime FROM datamodel=Authentication WHERE "Authentication.signature"=ConsoleLogin BY "Authentication.user", "Authentication.src" 
| iplocation Authentication.src 
| rename "Authentication.*" AS "*" 
| table firstTime, lastTime, user, City 
| join type=outer user [
| inputlookup previously_seen_users_console_logins 
| stats earliest(firstTime) AS earliestseen BY user City 
| fields + earliestseen, user, City] 
| eval userCity=if((firstTime >= relative_time(now(),"-24h@h")),"New City","Previously Seen City") 
| eval userStatus=if(((earliestseen >= relative_time(now(),"-24h@h")) OR isnull(earliestseen)),"New User","Old User") 
| where ((userCity == "New City") AND (userStatus != "Old User")) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) 
| table firstTime, lastTime, user, City, userStatus, userCity
| search
 
► Detect new user AWS console login

This search works best when you run the Previously seen users in CloudTrail support search to create a baseline of previously seen Identity and Access Management (IAM) users within the last 30 days.

 

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour.

In this search, you query CloudTrail logs to look for events that indicate that a user has attempted to log in to the AWS console and group the events using ARN value. Using the previously_seen_users_console_logins.csv lookup file created using the support search, you compare the ARN to all the previously seen users logging into the AWS console. The eval and if functions determine whether the earliest time you see this user ARN was within the last hour. The alert will be fired only when a user is seen for first time in the last hour.

sourcetype=aws:cloudtrail eventName=ConsoleLogin 
| rename userIdentity.arn AS arn  
| stats earliest(_time) AS earliest latest(_time) AS latest BY arn 
| inputlookup append=t previously_seen_users_console_logins.csv 
| stats min(earliest) AS earliest max(latest) AS latest BY arn 
| outputlookup previously_seen_users_console_logins.csv 
| eval userStatus=if(earliest >= relative_time(now(), "-1h@h"), "First Time Logging into AWS Console","Previously Seen User") 
| convert ctime(earliest) ctime(latest) 
| where userStatus ="First Time Logging into AWS Console"
 
► Detect new user AWS EC2 console login

This search works best when you run the Previously seen users in CloudTrail support search to create a baseline of previously seen Identity and Access Management (IAM) users within the last 30 days.

 

This search looks for CloudTrail events where a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert fires if the user has logged into the console for the first time within the last hour.

In this search, you query CloudTrail logs to look for events that indicate that a user has attempted to log in to the AWS console and group the events using ARN value. Using the previously_seen_users_console_logins.csv lookup file created using the support search, you compare the ARN to all the previously seen users logging into the AWS console. The eval and if functions determine whether the earliest time you see this user ARN was seen within the last hour. The alert fires only when a user is seen for first time in the last hour.

When a legitimate new user logs in for the first time, this activity is detected. Check how old the account is and verify that the user activity is legitimate.

sourcetype=aws:cloudtrail userIdentity.sessionContext.attributes.mfaAuthenticated=false 
| search NOT [
| inputlookup aws_service_accounts 
| fields identity 
| rename identity as user]
| stats  count min(_time) AS firstTime max(_time) AS lastTime values(eventName) BY userIdentity.arn userIdentity.type user 
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(firstTime) 
| convert timeformat="%m/%d/%Y %H:%M:%S" ctime(lastTime)

Investigative searches

► AWS investigate user activities by ARN

This search lists all the logged CloudTrail activities by a specific user ARN and creates a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and all the user's identity information.

| search sourcetype=aws:cloudtrail userIdentity.arn={arn} 
| table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType

Additional resources

This use case is included within Splunk Enterprise Security, a Splunk app that provides prebuilt content and searches to help answer root-cause questions in real-time about malicious and anomalous events in your IT infrastructure. In addition, Splunk Enterprise Security provides a number of other searches to help reinforce your Cloud Security posture, including: