security-content/baselines/previously_seen_provisioning_activity_src.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
baseline:
  splunk:
    schedule:
      cron_schedule: ''
      earliest_time: -90d@d
      latest_time: -10m@m
    search: sourcetype=aws:cloudtrail (eventName=Run* OR eventName=Create*) | iplocation
      sourceIPAddress | stats earliest(_time) as firstTime, latest(_time) as lastTime
      by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv
      | stats count
creation_date: '2018-03-16'
data_metadata:
  data_source:
    - AWS CloudTrail logs
  data_sourcetypes:
    - aws:cloudtrail
  providing_technologies:
    - AWS
description: This search builds a table of the first and last times seen for every
  IP address (along with its physical location) previously associated with cloud-provisioning
  activity. This is broadly defined as any event that runs or creates something.
eli5: This search includes any event name that begins with "run" or "create," and
  then determines the first and last time these events were seen for each IP address
  that initiated the action. The search then consults a **GeoIP** database to determine
  the physical location of this IP address. This table outputs to a file.
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
  and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
  inputs.
id: ac88e6a0-4fba-4dfd-b7b9-8964df7d1aee
known_false_positives: ''
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
modification_date: '2018-03-16'
name: Previously Seen AWS Provisioning Activity Sources
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
spec_version: 2
type: splunk
version: '1.0'