Detect and Investigate Malicious Activity in Your AWS Environment with Splunk Enterprise Security Content Update

Many cloud-enabled organizations leverage Amazon Web Services' (AWS) virtual private cloud (VPC), an on-demand managed cloud-computing service that isolates tenants' computing resources as an added layer of security. Amazon VPC provides clients with a private, non-routable subnet and a means to create IPSEC tunnels between the home network and the AWS VPC. The traffic that flows in and out of this VPC can be controlled via network access-control rules and security groups.

Amazon VPC: Convenient for you, convenient for hackers

It all sounds perfectly ducky...until the moment you realize attackers could abuse your AWS infrastructure with insecure VPCs in their efforts to co-opt AWS resources for command-and-control nodes, data exfiltration, or a number of other nefarious ends. Once an EC2 instance is compromised, an attacker *could* initiate outbound network connections for malicious reasons. 

A better way to keep tabs on your cloud traffic

Monitoring network traffic behaviors is crucial to understanding the types of traffic flowing in and out of your network and to alert you to suspicious activities. A new Analytic Story in the May 9 release of Enterprise Security Content Update, "Suspicious AWS Traffic," will monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors that could be indicative of malicious activity within your VPC. At that point, you can determine whether to investigate further.

Other updates included in this week's ESCU release are new detection, contextual, and support searches for the previously released "AWS Network ACL Activity" Analytic Story, which can help you monitor your AWS network infrastructure for bad configurations and malicious activity. 

Update the Enterprise Security Content Update app now on Splunkbase to ensure you always have the latest analytics!


The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Read more Splunk Security Content