forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaws_provisioning.yml
More file actions
50 lines (49 loc) · 2.26 KB
/
aws_provisioning.yml
File metadata and controls
50 lines (49 loc) · 2.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
category:
- Cloud Security
channel: ESCU
creation_date: '2018-03-16'
description: Monitor your AWS provisioning activities for behaviors originating from
unfamiliar or unusual locations. These behaviors may indicate that malicious activities
are occurring somewhere within your network.
detections:
- detection_id: ceb8d3d8-06cb-49eb-beaf-829526e33ff0
name: AWS Cloud Provisioning From Previously Unseen Country
type: splunk
- detection_id: 7971d3df-da82-4648-a6e5-b5637bea5253
name: AWS Cloud Provisioning From Previously Unseen Region
type: splunk
- detection_id: 344a1778-0b25-490c-adb1-de8beddf59cd
name: AWS Cloud Provisioning From Previously Unseen City
type: splunk
- detection_id: 42e15012-ac14-4801-94f4-f1acbe64880b
name: AWS Cloud Provisioning From Previously Unseen IP Address
type: splunk
id: 3338b567-3804-4261-9889-cf0ca4753c7f
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2018-03-16'
name: AWS Suspicious Provisioning Activities
narrative: 'Because most enterprise AWS activities originate from familiar geographic
locations, monitoring for activity from unknown or unusual regions is an important
security measure. This indicator can be especially useful in environments where
it is impossible to whitelist specific IPs (because they vary).\
This Analytic Story was designed to provide you with flexibility in the precision
you employ in specifying legitimate geographic regions. It can be as specific as
an IP address or a city, or as broad as a region (think state) or an entire country.
By determining how precise you want your geographical locations to be and monitoring
for new locations that haven''t previously accessed your environment, you can detect
adversaries as they begin to probe your environment. Since there are legitimate
reasons for activities from unfamiliar locations, this is not a standalone indicator.
Nevertheless, location can be a relevant piece of information that you may wish
to investigate further.'
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
references:
- https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
spec_version: 2
usecase: Security Monitoring
version: '1.0'