Unusual Cloud Regions

Unusual Cloud Regions

Description

Looks for activity in IaaS Regions that have not been used before across the organization.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Account Compromise, Cloud Security, SaaS, Zero Trust

Security Impact

As a best practice, you should monitor activity across any and all IaaS regions. Frequently, organizations focus only on the activity within the set of regions they own because users/administrators look at those consoles more regularly. However, activity in other regions could be malicious activity (bitcoin mining, etc.), or even employees hiding activity where it is often overlooked. In any of these scenarios, changes like this should be monitored for and responded to.

Alert Volume

Low

SPL Difficulty

Basic

Data Availability

Bad

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence
Privilege Escalation

MITRE ATT&CK Techniques

Valid Accounts
Cloud Accounts

MITRE Threat Groups

Chimera
APT39
FIN4
FIN5
FIN10
Soft Cell
Night Dragon
TEMP.Veles
Leviathan
Dragonfly 2.0
Wizard Spider
OilRig
APT41
Suckfly
Silence
FIN6
Threat Group-3390
APT18
menuPass
APT28
Sandworm Team
PittyTiger
FIN8
Carbanak
APT33

Kill Chain Phases

Actions On Objectives

Data Sources

Azure
AWS
GCP

   How to Implement

Assuming you use the ubiquitous AWS, GCP, or Azure Add-ons for Splunk to pull these logs in, this search should work automatically for you without issue. While implementing, make sure you follow the best practice of specifying the index for your data.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

Beyond that disclaimer, there are no known false positives from this detection.

   How To Respond

When this alert fires, your first instinct should be to validate whether this is intended activity. Reach out to the account owner or the user who spun up those instances to see if this is the result of the organization expanding into new areas. Also look to see any indications of known IaaS malware, such as if hundreds of expensive instance types associated with ethereum mining are spun up.

   Help

Unusual Cloud Regions Help

This example leverages the Detect New Values search assistant. Our example dataset is a collection of anonymized AWS CloudTrail logs, during which someone does something bad. Our live search looks for the same behavior using the very standardized index and sourcetypes for AWS CloudTrail, GCP and Azure Audit, as detailed in How to Implement.

SPL for Unusual Cloud Regions

Demo Data

First we bring in our basic demo dataset. In this case, anonymized AWS CloudTrail logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

AWS Data

First we bring in our basic demo dataset. In this case, AWS CloudTrail logs.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

GCP Data

First we bring in our GCP Audit logs.
Next we use Splunk's schema-on-the-fly capabilities to extract the region from GCP's availability zone field
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Azure Data

First we bring in our Azure Audit logs.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Screenshot of Demo Data