Skip to content

the day after 8 million requests #3328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pyth0n1c merged 20 commits into from
Feb 20, 2025
Merged

the day after 8 million requests #3328

pyth0n1c merged 20 commits into from
Feb 20, 2025

Conversation

@josehelps
Copy link
Collaborator

@josehelps josehelps commented Feb 12, 2025
edited
Loading

AWS S3 Bucket Security: Decommissioned Bucket Detections

Changes

  • ✨ New analytic story for AWS S3 bucket security monitoring
  • πŸ” New baseline to track public S3 buckets that get deleted
  • 🚨 Two new detections:
    • DNS queries to decommissioned buckets
    • Web access to decommissioned buckets

Technical Details

  • Uses CloudTrail logs, DNS queries, and web proxy data
  • Leverages Network_Resolution and Web data models
  • Weekly scheduled baseline updates

Missing

Purpose

Helps detect bucket hijacking by tracking and detecting access to previously public S3 buckets that were decommissioned. As seen on https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/

@josehelps josehelps changed the title first draft the day after 8 million requests Feb 13, 2025
@josehelps
Copy link
Collaborator Author

josehelps commented Feb 13, 2025

PR for dataset splunk/attack_data#960

@pyth0n1c
Copy link
Collaborator

pyth0n1c commented Feb 19, 2025
edited
Loading

There are a number of changes to this detection:

  1. Converting from CSV to KVStore storage for baseline results:
  2. Needing to change the original baseline data file https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/decommissioned_buckets/cloudtrail.json from formatted JSON with newlines between keys to JSONL (required for the data to be properly parsed by Splunk)
  3. The fact that this is manual test and the changes above mean it must be manual_tested again

Which mean it will not make it into the 5.1 release. This detection should make it into the 5.2 release.

Because of these changes and the need to retest, I have converted this PR back to WIP.

@pyth0n1c pyth0n1c added the WIP DO NOT MERGE Work in Progress label Feb 19, 2025
@ljstella ljstella added this to the v5.2.0 milestone Feb 20, 2025
@josehelps josehelps modified the milestones: v5.2.0, v5.1.0 Feb 20, 2025
pyth0n1c
pyth0n1c approved these changes Feb 20, 2025
View reviewed changes
Copy link
Collaborator

@pyth0n1c pyth0n1c left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed this is ready to merge after discussions with author.

@pyth0n1c pyth0n1c removed the WIP DO NOT MERGE Work in Progress label Feb 20, 2025
@pyth0n1c pyth0n1c merged commit 0eb6830 into develop Feb 20, 2025
4 checks passed
@pyth0n1c pyth0n1c deleted the 8_million_requests branch February 20, 2025 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin patel-bhavin left review comments

@pyth0n1c pyth0n1c pyth0n1c approved these changes

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

@P4T12ICK P4T12ICK Awaiting requested review from P4T12ICK

Assignees

No one assigned

Labels

Baselines Detections Lookups Stories

Projects

None yet

Milestone

v5.1.0

Development

Successfully merging this pull request may close these issues.

4 participants

@josehelps @pyth0n1c @patel-bhavin @ljstella