security-content/detections/aws_spike_acl_activity.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
asset_type: AWS Instance
baselines:
  - id: fc0edd96-ff2b-4810-9f1f-63da3783fd63
    name: Baseline of Network ACL Activity by ARN
    type: splunk
confidence: medium
creation_date: '2018-05-17'
data_metadata:
  data_source:
    - AWS CloudTrail logs
  data_sourcetypes:
    - aws:cloudtrail
  providing_technologies:
    - AWS
description: This search will detect users creating spikes in API activity related
  to network access-control lists (ACLs)in your AWS environment.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: user
        rule_description: A spike in the number of AWS API calls related to network
          ACLs by $user$ was detected.
        rule_title: Spike in AWS Network ACL activity detected by $user$
      risk:
        risk_object: user
        risk_object_type:
          - user
        risk_score: 30
      schedule:
        cron_schedule: 10 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: sourcetype=aws:cloudtrail `network_acl_events` [search sourcetype=aws:cloudtrail
        `network_acl_events` | spath output=arn path=userIdentity.arn | stats count
        as apiCalls by arn | inputlookup network_acl_activity_baseline append=t |
        fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount
        | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls,
        2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval
        avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls,
        stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1)
        | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup
        network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold
        = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls)
        AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn
        as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn
        | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName)
        as uniqueApisCalled by user
      suppress:
        suppress_fields: user
        suppress_period: 14400s
eli5: 'This search and its corresponding subsearch run through the following series
  of steps: \

  1. Retrieve all the AWS CloudTrail log entries that have recorded AWS API calls
  specifically for creating/modifying/replacing network Access Control Lists (ACLs).\

  1. Kick off a subsearch that retrieves the same data and pulls out the ARN into
  a more friendly format.\

  1. Count the number of API calls per Amazon Resource Name (ARN).\

  1. Load the cache file that contains the number of data points, the count from the
  latest hour, the API call average, and the standard deviation for each ARN.\

  1. Drop the count from the latest hour, since it is not necessary, and merge the
  rest of the data with the results of the stats command. \

  1. Rename `apiCalls` as `latestCount`.\

  1. Calculate the new average value for each ARN with the latest count, weighting
  the past much more heavily than the current hour. They do the same for the standard
  deviation--weighting the past more heavily than the current.\

  1. Update the cache file with the latest results.\

  1. Set the minimum threshold for the number of data points and set the number of
  standard deviations away from the mean it must be to be considered a spike.\

  1. Make a determination regarding whether or not the current count is a spike by
  checking to see if the minimum data-point threshold has been met and the count is
  a sufficient number of standard deviations away from the average.\

  1. Filter out anything that it determines is not a spike and return the list of
  ARNs to the main search. The main search subsequently gets the names of all the
  API calls, the number of unique API calls, and the total number of API calls for
  each of these ARNs. Finally, it looks up the average and standard deviation and
  returns both the average and the number of standard deviations the spike is from
  the average.'
entities:
  - user
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
  and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
  inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit
  your environment. The `dataPointThreshold` variable is the minimum number of data
  points required to have a statistically significant amount of data to determine.
  The `deviationThreshold` variable is the number of standard deviations away from
  the mean that the value must be to be considered a spike. This search works best
  when you run the "Baseline of Network ACL Activity by ARN" support search once to
  create a lookup file of previously seen Network ACL Activity. To add or remove API
  event names related to network ACLs, edit the macro `network_acl_events`.
id: ada0f478-84a8-4641-a1f1-e32372d4bd53
investigations:
  - id: bc91a8cd-35e7-4bb2-6140-e756cc46fd71
    name: AWS Investigate User Activities By ARN
    type: splunk
  - id: f3fb4d1c-5f33-4b01-b541-c3ah9534c241
    name: AWS Network Interface details via resourceId
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7ah9534c242
    name: AWS Network ACL Details from ID
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
known_false_positives: The false-positive rate may vary based on the values of`dataPointThreshold`
  and `deviationThreshold`. Please modify this according the your environment.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 12
    - CIS 11
  kill_chain_phases:
    - Actions on Objectives
  mitre_attack:
    - Persistence
    - Exfiltration
  nist:
    - DE.DP
    - DE.CM
    - PR.AC
modification_date: '2018-05-21'
name: Detect Spike in Network ACL Activity
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references: []
security_domain: network
spec_version: 2
type: splunk
version: '1.0'