forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaws_suspcious_traffic.yml
More file actions
42 lines (42 loc) · 2.1 KB
/
aws_suspcious_traffic.yml
File metadata and controls
42 lines (42 loc) · 2.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
category:
- Cloud Security
channel: ESCU
creation_date: '2018-05-07'
description: Leverage these searches to monitor your AWS network traffic for evidence
of anomalous activity and suspicious behaviors, such as a spike in blocked outbound
traffic in your virtual private cloud (VPC).
detections:
- detection_id: ada0f278-84a8-46w1-a3f1-w32372d4bd53
name: Detect Spike in blocked Outbound Traffic from your AWS
type: splunk
id: 2e8948a5-5239-406b-b56b-6c50f2168af3
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2018-05-07'
name: Suspicious AWS Traffic
narrative: "A virtual private cloud (VPC) is an on-demand managed cloud-computing\
\ service that isolates computing resources for each client. Inside the VPC container,\
\ the environment resembles a physical network. \\\nAmazon's VPC service enables\
\ you to launch EC2 instances and leverage other Amazon resources. The traffic that\
\ flows in and out of this VPC can be controlled via network access-control rules\
\ and security groups. Amazon also has a feature called VPC Flow Logs that enables\
\ you to log IP traffic going to and from the network interfaces in your VPC. This\
\ data is stored using Amazon CloudWatch Logs.\\\n Attackers may abuse the AWS infrastructure\
\ with insecure VPCs so they can co-opt AWS resources for command-and-control nodes,\
\ data exfiltration, and more. Once an EC2 instance is compromised, an attacker\
\ may initiate outbound network connections for malicious reasons. Monitoring these\
\ network traffic behaviors is crucial for understanding the type of traffic flowing\
\ in and out of your network and to alert you to suspicious activities.\\\nThe searches\
\ in this Analytic Story will monitor your AWS network traffic for evidence of anomalous\
\ activity and suspicious behaviors."
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
references:
- https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/
spec_version: 2
usecase: Security Monitoring
version: '1.0'