Name:ASL AWS Excessive Security Scanning id:ff2bfdbc-65b7-4434-8f08-d55761d1d446 version:4 date:2024-11-14 author:Patrick Bareiss, Splunk status:deprecated type:Anomaly Description:This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment. Data_source:
search:`amazon_security_lake` api.operation=Describe* OR api.operation=List* OR api.operation=Get* | stats dc(api.operation) as dc_api_operations min(_time) as firstTime max(_time) as lastTime values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region values(identity.user.account_uid) as identity.user.account_uid by identity.user.name | where dc_api_operations > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_excessive_security_scanning_filter`
how_to_implement:You must install Splunk Add-On for AWS Version v7.0.0 (https://splunkbase.splunk.com/app/1876) that includes includes a merge of all the capabilities of the Splunk Add-on for Amazon Security Lake. This search works with Amazon Security Lake logs which are parsed in the Open Cybersecurity Schema Framework (OCSF)format. known_false_positives:While this search has no known false positives. References: -https://github.com/aquasecurity/cloudsploit drilldown_searches:
: tags: analytic_story: - 'AWS User Monitoring' asset_type:AWS Account mitre_attack_id: - 'T1526' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network
