previously_seen_s3_remote_ip.yml

baseline:
  splunk:
    schedule:
      cron_schedule: ''
      earliest_time: -30d@d
      latest_time: -10m@m
    search: sourcetype=aws:s3:accesslogs http_status=200  | stats  earliest(_time)
      as earliest latest(_time) as latest by bucket_name remote_ip | outputlookup
      previously_seen_S3_access_from_remote_ip | stats count
creation_date: '2018-06-28'
data_metadata:
  data_source:
    - AWS S3 Access logs
  data_sourcetypes:
    - aws:s3:accesslogs
  providing_technologies:
    - AWS
description: This search looks for successful access to S3 buckets from remote IP
  addresses, then creates a baseline of the earliest and latest times we have encountered
  this remote IP within the last 30 days. In this support search, we are only looking
  for S3 access events where the HTTP response code from AWS is "200"
eli5: In this support search, we are looking for successful S3 bucket-access attempts
  made from remote IPs. The intent is to create an initial baseline cache of remote
  IP addresses per bucket name for the previous 30 days--including the earliest and
  latest times seen in our dataset--grouped by the value of remote IP and the name
  of the S3 bucket.
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
  and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access-logs
  inputs. You must validate the remote IP and bucket name entries in `previously_seen_S3_access_from_remote_ip.csv`,
  which is a lookup file created as a result of running this support search.
id: fc0edc15-fq2c-48b0-9f6f-63qa1281fd03
known_false_positives: ''
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
modification_date: '2018-06-28'
name: Previously seen S3 bucket access by remote IP
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
spec_version: 2
type: splunk
version: '1.0'