New Cloud API Call Per Peer Group

Description

Looks for users that are using APIs that neither they, nor their team has ever used before.


Use Case

Advanced Threat Detection, Insider Threat

Category

Account Compromise, IAM Analytics, Insider Threat, SaaS

Security Impact

The risk that this detection intends to reduce is the compromise of an cloud environment, where all of a sudden an account starts accessing APIs that they haven't normally before (such as creating keys, creating AMIs, changing ACLs, etc.). Because this also looks on a peer level, it won't flag for new users or users who have moved teams (provided the peer list is up to date). This firing could suggest that credentials have been created or compromised, and are in control of an adversary. This could result in potential data leakage, data deletion, or cost run-up.

Alert Volume

Medium (?)

SPL Difficulty

Advanced

Journey

Stage 4

MITRE ATT&CK Tactics

Persistence
Privilege Escalation

MITRE ATT&CK Techniques

Valid Accounts

MITRE Threat Groups

APT18
APT28
APT3
APT32
APT33
APT39
APT41
Carbanak
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Soft Cell
Stolen Pencil
Suckfly
TEMP.Veles
Threat Group-1314
Threat Group-3390
menuPass

Kill Chain Phases

Actions on Objectives

Data Sources

Audit Trail
GCP
Azure
AWS

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple, though the peer group makes things slightly more complicated.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted. Assuming you use the ubiquitous AWS, GCP, or Azure Add-ons for Splunk to pull these logs in, this base search should work automatically for you without issue.
  • Save the search.

To configure the Peer Group:

  1. Start with a data source that gives you visibility into the peer group -- easiest is usually querying Active Directory via the SA-ldapsearch add-on, but you could get lists of users and their teams / departments / etc from any source you have.
  2. Next you will need to convert that log source into a format that this lookup is expecting, which is as follows:
    userpeergroup (order not important)
    johnjohn|sarah
    sarahjohn|sarah
    markmark
    The easiest way to do this is with a search like | inputlookup LDAPSearch.csv | stats values(user) as user by department | eval peergroup=mvjoin(user, "|") | mvexpand user

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache drop-down below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise (even though the peer groups help manage noise).

Specifically for Cloud Platforms, they have many APIs (and create new ones regularly!), so it's generally best to tune over time for which APIs you actually want to be emailed about, leave the rest for context, or to aggregate risk.

   How To Respond

When this alert fires, you should look at what APIs were called. We've excluded some of the basic inaction ones (such as DescribeInstances), but the severity of the event will vary based on the severity of the API calls. The natural next step is to call the user and see if they expected this behavior. If the user cannot attribute this activity, it is best to reset the keys and continue your investigation to see what occurred.

   Help

New Cloud API Call Per Peer Group Help

This example leverages the Detect New Values search assistant. Our example dataset is a collection of anonymized AWS CloudTrail logs, during which someone does something bad. Our live search looks for the same behavior using the very standardized index and sourcetypes for AWS CloudTrail, GCP and Azure Audit, as detailed in How to Implement.

SPL for New Cloud API Call Per Peer Group

Demo Data

First we bring in our basic demo dataset. In this case, anonymized AWS CloudTrail logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Find where the most recent value is less than -1d@d from either now() or the value showing your most recent data point (depending on your particular search desires)
Enrich primary with peer group
Here we are comparing the # of 'Secondary Field's viewed today and historically by the 'Primary Field'. multireport is a search operator that allows you to leverage the power of stats, but multiple times.
Now we join the two | stats output together into one, so that we can analyze them together
Filtering out null earliest will handle corner cases to make a clean report.

AWS Data

First we bring in our basic dataset. In this case, AWS CloudTrail logs, filtered for individual APIs that we want to pay close attention to.
Find where the most recent value is less than -1d@d from either now() or the value showing your most recent data point (depending on your particular search desires)
Enrich primary with peer group
Here we are comparing the # of 'Secondary Field's viewed today and historically by the 'Primary Field'. multireport is a search operator that allows you to leverage the power of stats, but multiple times.
Now we join the two | stats output together into one, so that we can analyze them together

GCP Data

First we bring in our GCP Audit logs.
Find where the most recent value is less than -1d@d from either now() or the value showing your most recent data point (depending on your particular search desires)
Enrich primary with peer group
Here we are comparing the # of 'Secondary Field's viewed today and historically by the 'Primary Field'. multireport is a search operator that allows you to leverage the power of stats, but multiple times.
Now we join the two | stats output together into one, so that we can analyze them together

Azure Data

First we bring in our Azure Audit logs, filtering out some of the noisy read-only operations.
Find where the most recent value is less than -1d@d from either now() or the value showing your most recent data point (depending on your particular search desires)
Enrich primary with peer group
Here we are comparing the # of 'Secondary Field's viewed today and historically by the 'Primary Field'. multireport is a search operator that allows you to leverage the power of stats, but multiple times.
Now we join the two | stats output together into one, so that we can analyze them together

Screenshot of Demo Data