Detect Spike In Security Group Activity

Description

This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Cloud Security, SaaS

Alert Volume

This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion
Persistence
Privilege Escalation
Initial Access

MITRE ATT&CK Techniques

Valid Accounts

Cloud Accounts

MITRE Threat Groups

APT33

Kill Chain Phases

Actions On Objectives

Data Sources

AWS
Audit Trail

   Help

Detect Spike In Security Group Activity Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify dataPointThreshold and deviationThreshold to better fit your environment. The dataPointThreshold variable is the minimum number of data points required to have a statistically significant amount of data to determine. The deviationThreshold variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro security_group_api_calls.

   Search

Open in Search