AWS

Once you begin collecting AWS data in Splunk using AWS Addon for AWS, there are a lot of detection capabilities that open up. We will cover the use case of detecting when large EC2 instances are launched, such as instance types 2xlarge, 4xlarge or 8xlarge with or without GPU.

Due to their high CPU and memory specs they are prime targets for bitcoin miners and capturing the launch of such instances can indicate a compromised AWS Access Key. 

The Splunk Add-on for AWS is an addon supporting data collection from AWS services. At the time of writing, it can seamlessly collect AWS config, AWS config rules, AWS Cloudtrail, CloudWatch, Cloudwatch logs and AWS inspector, Kinesis, S3 via SQS and billing data.

This article touches the method of collecting data using IAM roles. This involves setting up an IAM role for EC2, assigning it to the Splunk instance where the AWS Add-on is installed, then configure that role for collection jobs.