Unusual Cloud Regions

Description

Looks for activity in IaaS Regions that have not been used before across the organization.


Use Case

Advanced Threat Detection

Category

Account Compromise, SaaS

Security Impact

As a best practice, you should monitor activity across any and all IaaS regions. Frequently, organizations focus only on the activity within the set of regions they own because users/administrators look at those consoles more regularly. However, activity in other regions could be malicious activity (bitcoin mining, etc.), or even employees hiding activity where it is often overlooked. In any of these scenarios, changes like this should be monitored for and responded to.

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 3

MITRE ATT&CK Tactics

Persistence
Privilege Escalation

MITRE ATT&CK Techniques

Valid Accounts

MITRE Threat Groups

APT18
APT28
APT3
APT32
APT33
APT39
APT41
Carbanak
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Soft Cell
Stolen Pencil
Suckfly
TEMP.Veles
Threat Group-1314
Threat Group-3390
menuPass

Kill Chain Phases

Actions on Objectives

Data Sources

Audit Trail
GCP
Azure
AWS

   How to Implement

Assuming you use the ubiquitous AWS, GCP, or Azure Add-ons for Splunk to pull these logs in, this search should work automatically for you without issue. While implementing, make sure you follow the best practice of specifying the index for your data.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

Beyond that disclaimer, there are no known false positives from this detection.

   How To Respond

When this alert fires, your first instinct should be to validate whether this is intended activity. Reach out to the account owner or the user who spun up those instances to see if this is the result of the organization expanding into new areas. Also look to see any indications of known IaaS malware, such as if hundreds of expensive instance types associated with ethereum mining are spun up.

   Help

Unusual Cloud Regions Help

This example leverages the Detect New Values search assistant. Our example dataset is a collection of anonymized AWS CloudTrail logs, during which someone does something bad. Our live search looks for the same behavior using the very standardized index and sourcetypes for AWS CloudTrail, GCP and Azure Audit, as detailed in How to Implement.

SPL for Unusual Cloud Regions

Demo Data

First we bring in our basic demo dataset. In this case, anonymized AWS CloudTrail logs. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

AWS Data

First we bring in our basic demo dataset. In this case, AWS CloudTrail logs.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

GCP Data

First we bring in our GCP Audit logs.
Next we use Splunk's schema-on-the-fly capabilities to extract the region from GCP's availability zone field
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Azure Data

First we bring in our Azure Audit logs.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.

Screenshot of Demo Data