forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
baseline_of_s3_bucket_deletion_activity_by_arn.yml
34 lines (34 loc) · 1.39 KB
/
baseline_of_s3_bucket_deletion_activity_by_arn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
name: Baseline of S3 Bucket deletion activity by ARN
id: 841b102c-8866-494b-a704-87b674fe9b09
version: 1
date: '2018-07-17'
author: Bhavin Patel, Splunk
type: Baseline
datamodel: []
description: This search establishes, on a per-hour basis, the average and standard
deviation for the number of API calls related to deleting an S3 bucket by each user.
Also recorded is the number of data points for each user. This table is then outputted
to a lookup file to allow the detection search to operate quickly.
search: '`cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn
| bucket _time span=1h | stats count as apiCalls by _time, arn | stats count(apiCalls)
as numDataPoints, latest(apiCalls) as latestCount, avg(apiCalls) as avgApiCalls,
stdev(apiCalls) as stdevApiCalls by arn | table arn, latestCount, numDataPoints,
avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | stats count'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
inputs.
known_false_positives: none
references: []
tags:
analytic_story:
- Suspicious AWS S3 Activities
detections:
- Detect Spike in S3 Bucket deletion
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- userIdentity.arn
security_domain: network