Detecting suspicious activities within cloud instances
You need to monitor your cloud instances for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.
Monitoring your cloud infrastructure logs allows you enable governance, compliance, and risk auditing. It is crucial for a company to monitor events and actions taken in the their cloud environments to ensure that your instances are not vulnerable to attacks.
These searches help you identify, respond to, and investigate suspicious activities in your cloud compute instances.
Data required
How to use Splunk software for this use case
- Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.
- To optimize these searches, you should specify an index and a time range when appropriate.
Support searches
- ► Previously seen cloud instance modifications by user - initial
-
- Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Change data model. For information on installing and using the CIM, see the Common Information Model documentation.
This search builds a table of previously seen users that have modified a cloud instance.
| tstats earliest(_time) AS firstTimeSeen, latest(_time) AS lastTimeSeen FROM datamodel=Change WHERE All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success BY All_Changes.user | rename "All_Changes.*" AS "*" | eventstats min(firstTimeSeen) AS globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | outputlookup previously_seen_cloud_instance_modifications_by_user
- ► Previously seen cloud instance modifications by user - update
-
- To run this search, you must install the Splunk App for AWS (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.
- Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Change data model. For information on installing and using the CIM, see the Common Information Model documentation.
This search updates a table of previously seen cloud Instance modifications that have been made by a user.
Edit the search to add or remove APIs that modify an Elastic Compute Cloud (EC2) instance.
| tstats earliest(_time) AS firstTimeSeen, latest(_time) AS lastTimeSeen FROM datamodel=Change WHERE All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success BY All_Changes.user | rename "All_Changes.*" AS "*" | inputlookup append=t previously_seen_cloud_instance_modifications_by_user | stats min(firstTimeSeen) AS firstTimeSeen max(lastTimeSeen) AS lastTimeSeen by user | where lastTimeSeen > relative_time(now(), search "-90d@d") | eventstats min(firstTimeSeen) AS globalFirstTime | eval enough_data = if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | outputlookup previously_seen_cloud_instance_modifications_by_user
Detection searches
- ► Cloud instance modified by previously unseen user
-
- This search relies on the output lookup table created and updated through the Support searches Previously seen cloud instance modifications by user - initial and Previously Seen Cloud Instance Modifications By User - Update.
- To run this search, you must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail inputs.
- Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Change data model. For information on installing and using the CIM, see the Common Information Model documentation.
This search looks for cloud instances being modified by users who have not previously modified them.
False positives from this search may occur since it's possible that a new user will start to modify Elastic Compute Cloud (EC2) instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.
| tstats allow_old_summaries=true count, earliest(_time) AS firstTime, latest(_time) AS lastTime, values("All_Changes.object_id") AS object_id, values("All_Changes.command") AS command FROM datamodel=Change WHERE ("All_Changes.action"=modified "All_Changes.change_type"=EC2 "All_Changes.status"=success) BY "All_Changes.user" | rename "All_Changes.*" AS "*" | lookup previously_seen_cloud_instance_modifications_by_user user AS user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) AS enough_data | where (enough_data == 1) | eval firstTimeSeenUser=min(firstTimeSeen) | where ((firstTimeSeenUser > relative_time(now(),"-24h@h")) OR isnull(firstTimeSeenUser)) | table firstTime, user, command, object_id, count | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
Investigative searches
- ► User activities by ARN
-
This search lists all the logged CloudTrail activities by a specific user Amazon Resource Name (ARN) and creates a table containing the source of the user, the region of the activity, the name and type of the event, the action taken, and all the user's identity information.
| search sourcetype=aws:cloudtrail userIdentity.arn={arn} | table _time userIdentity.type userIdentity.userName userIdentity.arn aws_account_id src awsRegion eventName eventType
- ► AWS activity from IP address
-
This search returns all activity from a specific IP address and creates a table containing the time, ARN, username, the type of user, the IP address, the AWS region the activity was in, the API called, and whether or not the API call was successful.
| search sourcetype=aws:cloudtrail | iplocation sourceIPAddress | search sourceIPAddress={src_ip} | spath output=user path=userIdentity.arn | spath output=awsUserName path=userIdentity.userName | spath output=userType path=userIdentity.type | rename sourceIPAddress AS src_ip | table _time, user, userName, userType, src_ip, awsRegion, eventName, errorCode
Next steps
The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.
In addition, Splunk Enterprise Security provides a number of other searches to help reinforce your Cloud Security posture, including:
- Detecting AWS cross-account activity
- Detecting AWS network ACL activity
- Detecting AWS suspicious provisioning activities
- Monitoring user activity spikes in AWS
- Monitoring AWS EC2 for suspicious login activities
- Monitoring AWS S3 for suspicious activities
- Monitoring AWS for suspicious traffic
- Monitoring AWS EC2 for unusual modifications