previously_seen_users_in_cloudtrail___initial.yml

name: Previously Seen Users in CloudTrail - Initial
id: 0a87ecf9-dc6a-43af-861a-205e75a09bf5
version: 1
date: '2020-05-28'
author: Rico Valdez, Splunk
type: Baseline
datamodel:
- Authentication
description: This search looks for CloudTrail events where a user logs into the console,
  then creates a baseline of the latest and earliest times, City, Region, and Country
  we have encountered this user in our dataset, grouped by username, within the last
  30 days.
search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication
  where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src
  | iplocation Authentication.src | rename Authentication.user as user Authentication.src
  as src | table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins
  | stats count'
how_to_implement: You must install and configure the Splunk Add-on for AWS (version
  5.1.0 or later) and Enterprise Security 6.2, which contains the required updates
  to the Authentication data model for cloud use cases. Validate the user name entries
  in `previously_seen_users_console_logins`, which is a lookup file created by this
  support search.
known_false_positives: none
references: []
tags:
  analytic_story:
  - Suspicious Cloud Authentication Activities
  detections:
  - Detect AWS Console Login by User from New Country
  - Detect AWS Console Login by User from New Region
  - Detect AWS Console Login by User from New City
  - Detect AWS Console Login by New User
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  required_fields:
  - _time
  - Authentication.signature
  - Authentication.user
  - Authentication.src
  security_domain: network
deployment:
  scheduling:
    cron_schedule: 0 2 * * 0
    earliest_time: -90d@d
    latest_time: -1d@d
    schedule_window: auto