forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathupdate_previously_seen_aws_users.yml
More file actions
50 lines (50 loc) · 2.16 KB
/
update_previously_seen_aws_users.yml
File metadata and controls
50 lines (50 loc) · 2.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
baseline:
splunk:
schedule:
cron_schedule: 0 0 1 * *
earliest_time: -60m@m
latest_time: m@m
search: sourcetype=aws:cloudtrail eventName=ConsoleLogin | rename userIdentity.arn
as user | iplocation src | eval City=if(City LIKE "",src,City),Region=if(Region
LIKE "",src,Region) | stats earliest(_time) AS firstTime latest(_time) AS firstTime
by user src City Region Country | inputlookup append=t previously_seen_users_console_logins.csv
| stats min(firstTime) as firstTime max(firstTime) as firstTime by user src City Region
Country | outputlookup previously_seen_users_console_logins.csv
creation_date: '2019-04-25'
data_metadata:
data_source:
- AWS CloudTrail logs
data_sourcetypes:
- aws:cloudtrail
providing_technologies:
- AWS
description: This search looks for CloudTrail events where a user logs into the console,
then updates the baseline of the latest and earliest times, City, Region, and Country
we have encountered this user in our dataset, grouped by ARN, within the last hour.
eli5: In this support search, we look for console login events by a particular user
to update the baseline cache of users/arns making the accesses, including the earliest
and latest times, City, Region, and Country a particular user ARN is seen in our
dataset, grouped by the ARN value. In cases where City and Region cannot be determined,
the source IP address is substituted for these values.
entities:
- user
- src
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
inputs. Please validate the user name entries in `previously_seen_users_console_logins.csv`,
which is a lookup file created as a result of running this support search.
id: 06c036e6-d6d7-4daa-bd76-411c3d356031
known_false_positives: n/a
maintainers:
- company: Splunk
email: jbrewer@splunk.com
name: Jason Brewer
modification_date: '2018-04-30'
name: Update previously seen users in CloudTrail
original_authors:
- company: Splunk
email: jbrewer@splunk.com
name: Jason Brewer
spec_version: 2
type: splunk
version: '1.0'