forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathbaseline_s3_deletion_by_arn.yml
More file actions
48 lines (48 loc) · 2.08 KB
/
baseline_s3_deletion_by_arn.yml
File metadata and controls
48 lines (48 loc) · 2.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
baseline:
splunk:
schedule:
cron_schedule: ''
earliest_time: -90d@d
latest_time: -10m@m
search: sourcetype=aws:cloudtrail eventName=DeleteBucket | spath output=arn path=userIdentity.arn
| bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls)
as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls,
stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints,
avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | stats count
creation_date: '2018-07-17'
data_metadata:
data_source:
- AWS CloudTrail logs
data_sourcetypes:
- aws:cloudtrail
providing_technologies:
- AWS
description: This search establishes, on a per-hour basis, the average and standard
deviation for the number of API calls related to deleting an S3 bucket by each user.
Also recorded is the number of data points for each user. This table is then outputted
to a lookup file to allow the detection search to operate quickly.
eli5: Use this search to create a baseline for API calls related to deleting an S3
bucket, grouped by the users who initiated this activity. It returns all logged
API calls for S3 bucket-deletion activity and then pulls out the ARN that initiated
each call. Next, it calculates the number of API calls made per ARN per hour. For
each ARN, it calculates the average and standard deviation of this count on a per-hour
basis. It also includes the number of data points for each ARN. This table is stored
in a lookup file.
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
inputs.
id: fc0edd96-ff2b-48b0-9f1f-63eq3783fd63
known_false_positives: ''
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2018-07-17'
name: Baseline of S3 Bucket deletion activity by ARN
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
spec_version: 2
type: splunk
version: '1.0'