forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaws_ec2_modifications.yml
More file actions
36 lines (36 loc) · 1.59 KB
/
aws_ec2_modifications.yml
File metadata and controls
36 lines (36 loc) · 1.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
category:
- Cloud Security
channel: ESCU
creation_date: '2018-04-09'
description: Identify unusual changes to your AWS EC2 instances that may indicate
malicious activity. Modifications to your EC2 instances by previously unseen users
is an example of an activity that may warrant further investigation.
detections:
- detection_id: 56f91724-cf3f-4666-84e1-e3712fb41e76
name: EC2 Instance Modified With Previously Unseen User
type: splunk
id: 73de57ef-0dfc-411f-b1e7-fa24428aeae0
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2018-04-09'
name: Unusual AWS EC2 Modifications
narrative: "A common attack technique is to infiltrate a cloud instance and make modifications.\
\ The adversary can then secure access to your infrastructure or hide their activities.\
\ So it's important to stay alert to changes that may indicate that your environment\
\ has been compromised. \\\n Searches within this Analytic Story can help you detect\
\ the presence of a threat by monitoring for EC2 instances that have been created\
\ or changed--either by users that have never previously performed these activities\
\ or by known users who modify or create instances in a way that have not been done\
\ before. This story also provides investigative searches that help you go deeper\
\ once you detect suspicious behavior."
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
references:
- https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
spec_version: 2
usecase: Security Monitoring
version: '1.0'