forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsuspicious_cloud_user_activities.yml
29 lines (28 loc) · 1.17 KB
/
suspicious_cloud_user_activities.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
name: Suspicious Cloud User Activities
id: 1ed5ce7d-5469-4232-92af-89d1a3595b39
version: 1
date: '2020-09-04'
author: David Dorsey, Splunk
description: Detect and investigate suspicious activities by users and roles in your
cloud environments.
narrative: 'It seems obvious that it is critical to monitor and control the users
who have access to your cloud infrastructure. Nevertheless, it''s all too common
for enterprises to lose track of ad-hoc accounts, leaving their servers vulnerable
to attack. In fact, this was the very oversight that led to Tesla''s cryptojacking
attack in February, 2018.\
In addition to compromising the security of your data, when bad actors leverage
your compute resources, it can incur monumental costs, since you will be billed
for any new instances and increased bandwidth usage.'
references:
- https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
- https://redlock.io/blog/cryptojacking-tesla
tags:
analytic_story: Suspicious Cloud User Activities
category:
- Cloud Security
product:
- Splunk Security Analytics for AWS
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring