Add ASL AWS CloudTrail data source

Author: Patrick Bareiss

data_sources/asl_aws_cloudtrail.yml

@@ -0,0 +1,13 @@
+name: ASL AWS CloudTrail
+id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898
+version: 1
+date: '2025-01-14'
+author: Patrick Bareiss, Splunk
+description: Data source object for ASL AWS CloudTrail 
+source: aws_asl
+sourcetype: aws:asl
+separator: api.operation
+supported_TA:
+- name: Splunk Add-on for AWS
+  url: https://splunkbase.splunk.com/app/1876
+  version: 7.9.0

detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml

@@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
 description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.
-data_source: []
+data_source: 
+- ASL AWS CloudTrail
 search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 | rename actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.

detections/cloud/asl_aws_create_access_key.yml

@@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk
 status: production
 type: Hunting
 description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment.
-data_source: []
+data_source: 
+- ASL AWS CloudTrail
 search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.

detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml

@@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk
 status: production
 type: TTP
 description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment.
-data_source: []
+data_source: 
+- ASL AWS CloudTrail
 search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity.

detections/cloud/asl_aws_credential_access_getpassworddata.yml

@@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
 description: The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages  CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment.
-data_source: []
+data_source: 
+- ASL AWS CloudTrail
 search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.

detections/cloud/asl_aws_credential_access_rds_password_reset.yml

@@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk
 status: production
 type: TTP
 description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset.
-data_source: []
+data_source: 
+- ASL AWS CloudTrail
 search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: Users may genuinely reset the RDS password.

detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml

@@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk
 status: production
 type: TTP
 description: The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment.
-data_source: []
+data_source: 
+- ASL AWS CloudTrail
 search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity.

detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml

@@ -6,7 +6,8 @@ author: Patrick Bareiss, Splunk
 status: production
 type: TTP
 description: The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment.
-data_source: []
+data_source: 
+- ASL AWS CloudTrail
 search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity.

detections/cloud/asl_aws_defense_evasion_impair_security_services.yml

@@ -6,7 +6,8 @@ author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk
 status: production
 type: Hunting
 description: The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment.
-data_source: []
+data_source: 
+- ASL AWS CloudTrail
 search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.

detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml

@@ -7,7 +7,7 @@ status: production
 type: Hunting
 description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively.
 data_source:
-- AWS CloudTrail PutBucketLifecycle
+- ASL AWS CloudTrail
 search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bucketName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` |  `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`'
 how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App.
 known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.