previously_seen_s3_bucket_access_by_remote_ip.yml

name: Previously seen S3 bucket access by remote IP
id: 54c40c6a-9a5b-4a79-9291-85977f713961
version: 1
date: '2018-06-28'
author: Bhavin Patel, Splunk
type: Baseline
datamodel: []
description: This search looks for successful access to S3 buckets from remote IP
  addresses, then creates a baseline of the earliest and latest times we have encountered
  this remote IP within the last 30 days. In this support search, we are only looking
  for S3 access events where the HTTP response code from AWS is "200"
search: '`aws_s3_accesslogs` http_status=200  | stats  earliest(_time) as earliest
  latest(_time) as latest by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip
  | stats count'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
  and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access-logs
  inputs. You must validate the remote IP and bucket name entries in `previously_seen_S3_access_from_remote_ip.csv`,
  which is a lookup file created as a result of running this support search.
known_false_positives: none
references: []
tags:
  analytic_story:
  - Suspicious AWS S3 Activities
  detections:
  - Detect S3 access from a new IP
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  required_fields:
  - _time
  - http_status
  - bucket_name
  - remote_ip
  security_domain: network