Analytics Story: Suspicious Cloud User Activities

Updated Date: 2026-05-13 ID: 1ed5ce7d-5469-4232-92af-89d1a3595b39 Author: David Dorsey, Splunk Product: Splunk Enterprise Security

Description

Detect and investigate suspicious activities by users and roles in your cloud environments.

Why it matters

It seems obvious that it is critical to monitor and control the users who have access to your cloud infrastructure. Nevertheless, it's all too common for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable to attack. In fact, this was the very oversight that led to Tesla's cryptojacking attack in February, 2018. In addition to compromising the security of your data, when bad actors leverage your compute resources, it can incur monumental costs, since you will be billed for any new instances and increased bandwidth usage.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
AWS IAM AccessDenied Discovery Events	Cloud Infrastructure Discovery	Anomaly
AWS Lambda UpdateFunctionCode	User Execution	Hunting
ASL AWS IAM AccessDenied Discovery Events	Cloud Infrastructure Discovery	Anomaly
Cloud Security Groups Modifications by User	Modify Cloud Compute Configurations	Anomaly
Cloud API Calls From Previously Unseen User Roles	Valid Accounts	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
AWS CloudTrail	AWS	`aws:cloudtrail`	`aws_cloudtrail`
ASL AWS CloudTrail	AWS	`aws:asl`	`aws_asl`

References

Source: GitHub | Version: 2