Try in Splunk Security Cloud

Description

Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • Last Updated: 2019-05-01
  • Author: Bhavin Patel, Splunk
  • ID: 2e8948a5-5239-406b-b56b-6c59f1268af3

Narrative

It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.

Detections

Name Technique Type
AWS Successful Console Authentication From Multiple IPs Compromise Accounts, Unused/Unsupported Cloud Regions Anomaly
Detect AWS Console Login by User from New City Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect new user AWS Console Login Cloud Accounts Hunting

Reference

source | version: 1