forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathtrain_ec2_excessive_terminateinstances.yml
More file actions
60 lines (58 loc) · 2.73 KB
/
train_ec2_excessive_terminateinstances.yml
File metadata and controls
60 lines (58 loc) · 2.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
baseline:
splunk:
macros:
- ec2_excessive_terminateinstances_mltk_input_filter
schedule:
cron_schedule: ''
earliest_time: -91d@d
latest_time: -1d@d
search: >-
sourcetype=aws:cloudtrail eventName=TerminateInstances errorCode=success `ec2_excessive_terminateinstances_mltk_input_filter`
| bucket span=10m _time
| stats count as instances_terminated by _time src_user
| fit DensityFunction instances_terminated threshold=0.0005 into ec2_excessive_terminateinstances_v1
creation_date: '2019-11-14'
data_metadata:
data_source:
- AWS CloudTrail logs
data_sourcetypes:
- aws:cloudtrail
providing_technologies:
- AWS
description: This search is used to build a Machine Learning Toolkit (MLTK) model
for how many TerminateInstances users do in the environment. By default, the search
uses the last 90 days of data to build the model. The model created by this search
is then used in the corresponding detection search, which identifies subsequent
outliers in the number of TerminateInstances performed by a user in a small time window.
eli5: Create a machine-learning (ML) model to establish a baseline for how many
TerminateInstances users do in the environment. This can help you identify excessive
numbers of TerminateInstances which may warrant further investigation to determine if there
is misuse or abuse.
how_to_implement: 'You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
inputs.\
In addition, you must have the Machine Learning Toolkit (MLTK) version
>= 4.2 installed, along with any required dependencies. Depending on the number
of users in your environment, you may also need to adjust the value for max_inputs
in the MLTK settings for the DensityFunction algorithm, then ensure that the search
completes in a reasonable timeframe. By default, the search builds the model using
the past 30 days of data. You can modify the search window to build the model over
a longer period of time, which may give you better results. You may also want to
periodically re-run this search to rebuild the model with the latest data.\
More information on the algorithm used in the search can be found at
`https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.'
id: b28ed6de-e4ba-40f7-ae0a-93a088c774ab
known_false_positives: ''
maintainers:
- company: Splunk
email: jbrewer@splunk.com
name: Jason Brewer
modification_date: '2019-11-14'
name: Baseline of Excessive AWS Instances Terminated by User - MLTK
original_authors:
- company: Splunk
email: jbrewer@splunk.com
name: Jason Brewer
spec_version: 2
type: splunk
version: '1.0'