security-content/detections/abnormally_high_instance_termination.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
asset_type: AWS Instance
confidence: medium
creation_date: '2018-02-26'
data_metadata:
  data_source:
    - AWS CloudTrail logs
  data_sourcetypes:
    - aws:cloudtrail
  providing_technologies:
    - AWS
description: This search looks for CloudTrail events where an abnormally high number
  of instances were successfully terminated by a user in a 10-minute window
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: userName
        rule_description: An abnormally high number of instances were terminated by
          a user in a 10-minute window
        rule_title: High number of instances terminated by $userName$
      risk:
        risk_object: userName
        risk_object_type:
          - user
        risk_score: 30
      schedule:
        cron_schedule: '*/10 * * * *'
        earliest_time: -30d@d
        latest_time: -10m@m
      search: sourcetype=aws:cloudtrail eventName=TerminateInstances errorCode=success
        | bucket span=10m _time | stats count AS instances_terminated by _time userName
        | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated)
        as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated
        > total_terminations_avg+(total_terminations_stdev * threshold_value), 1,
        0) | search isOutlier=1 AND _time >= relative_time(now(), "-10m@m")| eval
        num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg)
        / total_terminations_stdev, 2) |table _time, userName, instances_terminated,
        num_standard_deviations_away, total_terminations_avg, total_terminations_stdev
      suppress:
        suppress_fields: userName
        suppress_period: 3600s
eli5: In this search, we query CloudTrail logs to look for events where an instance
  is successfully terminated by a particular user. Since we want to detect a high
  number of instances terminated within a short period, we create event buckets for
  10-minute windows. We then calculate the total number of instances terminated by
  a particular user, as well as the average- and standard-deviation values. Assign
  a `threshold_value` in the search. Try starting with 3 (but it will likely need
  to be tweaked for your environment). The `eval` function will set the outlier to
  1 if the number of instances is greater than the average number of instances terminated,
  added to the multiplied value of threshold and standard deviation. We then filter
  out outliers with a value of 1 and show only those instance-termination events that
  happened within the previous 10 minutes.
entities:
  - userName
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
  and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
  inputs.
id: ada0f478-84a8-4641-s3f3-d82362dffd75
investigations:
  - id: bc91a8cd-35e7-4bb2-6140-e756cc46fd71
    name: AWS Investigate User Activities By ARN
    type: splunk
  - id: f3db4d1b-5f33-4b01-c541-c7ah9514c242
    name: Get EC2 Instance Details by instanceId
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
  - id: bc91a8cd-35e7-4bb2-6140-e756cc46fd11
    name: Investigate AWS activities via region name
    type: splunk
known_false_positives: Many service accounts configured with your AWS infrastructure
  are known to exhibit this behavior. Please adjust the threshold values and filter
  out service accounts from the output. Always verify whether this search alerted
  on a human user.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 13
  kill_chain_phases:
    - Actions on Objectives
  mitre_attack:
    - Execution
  nist:
    - DE.DP
    - DE.AE
modification_date: '2018-02-26'
name: Abnormally High AWS Instances Terminated by User
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references: []
security_domain: network
spec_version: 2
type: splunk
version: '1.0'