aws_user_monitoring.yml

name: AWS User Monitoring
id: 2e8948a5-5239-406b-b56b-6c50f1269af3
version: 1
date: '2018-03-12'
author: Bhavin Patel, Splunk
description: Detect and investigate dormant user accounts for your AWS environment
  that have become active again. Because inactive and ad-hoc accounts are common attack
  targets, it's critical to enable governance within your environment.
narrative: 'It seems obvious that it is critical to monitor and control the users
  who have access to your cloud infrastructure. Nevertheless, it''s all too common
  for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable
  to attack. In fact, this was the very oversight that led to Tesla''s cryptojacking
  attack in February, 2018.\

  In addition to compromising the security of your data, when bad actors leverage
  your compute resources, it can incur monumental costs, since you will be billed
  for any new EC2 instances and increased bandwidth usage. \

  Fortunately, you can leverage Amazon Web Services (AWS) CloudTrail--a tool that
  helps you enable governance, compliance, and risk auditing of your AWS account--to
  give you increased visibility into your user and resource activity by recording
  AWS Management Console actions and API calls. You can identify which users and accounts
  called AWS, the source IP address from which the calls were made, and when the calls
  occurred.\

  The detection searches in this Analytic Story are designed to help you uncover AWS
  API activities from users not listed in the identity table, as well as similar activities
  from disabled accounts.'
references:
- https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
- https://redlock.io/blog/cryptojacking-tesla
tags:
  analytic_story: AWS User Monitoring
  category:
  - Cloud Security
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Security Monitoring