Analytics Story: Suspicious AWS Login Activities

Date: 2019-05-01 ID: 2e8948a5-5239-406b-b56b-6c59f1268af3 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.

Why it matters

It is important to monitor and control who has access to your AWS infrastructure. Detecting suspicious logins to your AWS infrastructure will provide good starting points for investigations. Abusive behaviors caused by compromised credentials can lead to direct monetary costs, as you will be billed for any EC2 instances created by the attacker.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
AWS Successful Console Authentication From Multiple IPs	Compromise Accounts, Unused/Unsupported Cloud Regions	Anomaly
Detect AWS Console Login by User from New City	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Hunting
Detect AWS Console Login by User from New Country	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Hunting
Detect AWS Console Login by User from New Region	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Hunting
Detect new user AWS Console Login	Cloud Accounts	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
AWS CloudTrail	AWS	`aws:cloudtrail`	`aws_cloudtrail`
AWS CloudTrail ConsoleLogin	AWS	`aws:cloudtrail`	`aws_cloudtrail`

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

Source: GitHub | Version: 1