forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
previously_seen_aws_cross_account_activity.yml
36 lines (36 loc) · 1.44 KB
/
previously_seen_aws_cross_account_activity.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
name: Previously Seen AWS Cross Account Activity
id: 1cc22b09-c867-416e-a511-cb36ac44aee2
version: 1
date: '2018-06-04'
author: David Dorsey, Splunk
type: Baseline
datamodel: []
description: This search looks for **AssumeRole** events where the requesting account
differs from the requested account, then writes these relationships to a lookup
file.
search: '`cloudtrail` eventName=AssumeRole | spath output=requestingAccountId path=userIdentity.accountId
| spath output=requestedAccountId path=resources{}.accountId | search requestingAccountId=*
| where requestingAccountId!=requestedAccountId | stats earliest(_time) as firstTime
latest(_time) as lastTime by requestingAccountId, requestedAccountId | outputlookup
previously_seen_aws_cross_account_activity | stats count'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
inputs. Validate the user name entries in `previously_seen_aws_cross_account_activity.csv`,
a lookup file created by this support search.
known_false_positives: none
references: []
tags:
analytic_story:
- AWS Cross Account Activity
detections:
- AWS Cross Account Activity From Previously Unseen Account
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- userIdentity.accountId
- resources{}.accountId
security_domain: network