Detect S3 Access From A New IP

Description

This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Cloud Security, SaaS

Alert Volume

This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Collection

MITRE ATT&CK Techniques

Data from Cloud Storage Object

Data from Cloud Storage Object

Kill Chain Phases

Actions On Objectives

Data Sources

AWS
Audit Trail
Web Server

   Help

Detect S3 Access From A New IP Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names.

   Search

Open in Search