forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsuspicious_cloud_authentication_activities.yml
More file actions
29 lines (28 loc) · 1.34 KB
/
suspicious_cloud_authentication_activities.yml
File metadata and controls
29 lines (28 loc) · 1.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
name: Suspicious Cloud Authentication Activities
id: 6380ebbb-55c5-4fce-b754-01fd565fb73c
version: 1
date: '2020-06-04'
author: Rico Valdez, Splunk
description: 'Monitor your cloud authentication events. Searches within this Analytic
Story leverage the recent cloud updates to the Authentication data model to help
you stay aware of and investigate suspicious login activity. '
narrative: 'It is important to monitor and control who has access to your cloud infrastructure.
Detecting suspicious logins will provide good starting points for investigations.
Abusive behaviors caused by compromised credentials can lead to direct monetary
costs, as you will be billed for any compute activity whether legitimate or otherwise.\
This Analytic Story has data model versions of cloud searches leveraging Authentication
data, including those looking for suspicious login activity, and cross-account activity
for AWS.'
references:
- https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
tags:
analytic_story: Suspicious Cloud Authentication Activities
category:
- Cloud Security
product:
- Splunk Security Analytics for AWS
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring