Hello Everyone,
Greetings..!!
I am trying to build a Google SecOps detection similar to a Splunk behavioral rule for “AWS provisioning activity from a previously unseen geographic region.”
Current logic:
-
Detect CloudTrail provisioning actions such as Run* and Create*
-
Baseline source geolocation per activity eg : country,region ,ip ,city
-
Alert when provisioning comes from a new/unseen location
The issue is with the baseline scale.
The current baseline stores combinations of:
-
source IP
-
city
-
country
-
region/state
Because of this, the baseline has grown to around 600,000 rows.
In Splunk, this was implemented using a CSV lookup with historical tracking, but in SecOps we are limited by the Data Table size limit (~1000 rows), so the approach is not scalable as-is.
I am looking for recommendations on how to create a rule that alerts on AWS CloudTrail Run* or Create* operations from a new source IP, city, country, or region.
The expected behavior is:
When a new IP/location combination is seen for the first time, the rule should trigger an alert. After that, the same IP, city, country, and region combination should be treated as already seen and should not trigger again.
Any guidance or architectural recommendations would be appreciated.
