Name:ASL AWS Excessive Security Scanning id:ff2bfdbc-65b7-4434-8f08-d55761d1d446 version:3 date:2024-10-17 author:Patrick Bareiss, Splunk status:deprecated type:Anomaly Description:This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. Data_source:
search:`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`
how_to_implement:You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. known_false_positives:While this search has no known false positives. References: -https://github.com/aquasecurity/cloudsploit drilldown_searches:
: tags: analytic_story: - 'AWS User Monitoring' asset_type:AWS Account confidence:60 impact:30 message:user $identity.user.name$ has excessive number of api calls. mitre_attack_id: - 'T1526' observable: name:'src_endpoint.ip' type:'IP Address' - role: - 'Attacker' name:'identity.user.name' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'api.operation' - 'identity.user.account_uid' - 'identity.user.name' - 'http_request.user_agent' - 'src_endpoint.ip' risk_score:18 security_domain:network
