Cloud Provisioning Activity from Unusual Country

Description

Looks for IaaS Provisioning activities that occur from new IPs, using GeoIP to resolve the Country.


Use Case

Advanced Threat Detection, Insider Threat

Category

Account Compromise, IAM Analytics, Account Sharing, SaaS, Insider Threat

Security Impact

The risk that this detection intends to reduce is the compromise of an IaaS environment, where all of a sudden provisioning occurs in countries that have not been seen before (a very rudimentary baseline detection). Assuming that the user is not traveling, and that new orchestration tools are not being used (and admittedly, that the GeoIP is not wrong), this would suggest that credentials have been created or compromised, and are in control of an adversary. This could result in potential data leakage, data deletion, or cost run-up.

Alert Volume

Medium (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence
Privilege Escalation

MITRE ATT&CK Techniques

Valid Accounts

MITRE Threat Groups

APT18
APT28
APT3
APT32
APT33
APT39
APT41
Carbanak
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Soft Cell
Stolen Pencil
Suckfly
TEMP.Veles
Threat Group-1314
Threat Group-3390
menuPass

Kill Chain Phases

Actions on Objectives

Data Sources

Audit Trail
GCP
Azure
AWS

   How to Implement

Assuming you use the ubiquitous AWS, GCP, or Azure Add-ons for Splunk to pull these logs in, this search should work automatically for you without issue. While implementing, make sure you follow the best practice of specifying the index for your data. If your organization pays for the more accurate version of MaxMind's GeoIP Database (usually only common with organizations that have a strong footprint in small countries), consider adding that into Splunk to provide more accurate country resolution.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

This use case will fire any time a new Country is seen in the GeoIP database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of MaxMind GeoIP that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

   How To Respond

For organizations that have strict allowed countries for cloud orchestration, you may opt to use Splunk's Adaptive Response Actions to automatically disable an account that is doing provisioning from a new country. More commonly, the concern is account compromise so it is prudent to immediately call the user and find out if they intended to take those actions.

   Help

Cloud Provisioning Activity from Unusual Country Help

This example leverages the Detect New Values search assistant. Our example dataset is a collection of anonymized AWS CloudTrail logs, during which someone does something bad. Our live search looks for the same behavior using the very standardized index and sourcetype for AWS CloudTrail, GCP, or Azure, as detailed in How to Implement.

SPL for Cloud Provisioning Activity from Unusual Country

Demo Data

First we bring in our basic demo dataset. In this case, anonymized AWS CloudTrail logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Then we filter for provisioning activities (somewhat broadly)
Next we GeoIP to get the country.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

AWS Data

First we bring in our AWS CloudTrail logs filtered for provisioning activities.
Then we summarize to get a count per API and source IP address.
Next we GeoIP to get the country.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

GCP Data

First we bring in our GCP logs filtered for provisioning activities.
Then we summarize to get a count per source IP address (we include sourcetype just for convenience).
Next we GeoIP to get the country.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Azure Data

First we bring in our Azure Auditlogs filtered for provisioning activities.
Then we summarize to get a count per source IP address (we include sourcetype just for convenience).
Next we GeoIP to get the country.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Screenshot of Demo Data