forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathbaseline_network_acl_modifications.yml
More file actions
49 lines (49 loc) · 2.2 KB
/
baseline_network_acl_modifications.yml
File metadata and controls
49 lines (49 loc) · 2.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
baseline:
splunk:
schedule:
cron_schedule: ''
earliest_time: -30d@d
latest_time: -10m@m
search: sourcetype=aws:cloudtrail `network_acl_events` | spath output=arn path=userIdentity.arn
| bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls)
as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls,
stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints,
avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | stats
count
creation_date: '2018-05-21'
data_metadata:
data_source:
- AWS CloudTrail logs
data_sourcetypes:
- aws:cloudtrail
providing_technologies:
- AWS
description: This search establishes, on a per-hour basis, the average and the standard
deviation of the number of API calls that were related to network ACLs made by each
user. Also recorded is the number of data points for each user. This table is then
outputted to a lookup file to allow the detection search to operate quickly.
eli5: Use this search to create a baseline for API calls related to network ACLs for
the users who initiated this activity. It returns all logged API calls for network
activity, pulls out the ARN that initiated each call, and collects the `eventNames`
in one-hour groupings. Next, it calculates the number of API calls made per ARN
per-hour. For each ARN, it calculates the average and standard deviation of this
count on a per-hour basis. It also includes the number of data points for each ARN.
This table is stored in a lookup file.
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
inputs. To add or remove API event names for network ACLs, edit the macro `network_acl_events`.
id: fc0edd96-ff2b-4810-9f1f-63da3783fd63
known_false_positives: ''
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2018-05-21'
name: Baseline of Network ACL Activity by ARN
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
spec_version: 2
type: splunk
version: '1.0'