Use Case
AWS Cloud Activity Threat Monitoring
AWS Cloud Activity Threat Monitoring

AWS environments generate massive amounts of security-relevant data, particularly in AWS CloudTrail and WAF logs. These logs can capture crucial events like access to sensitive resources, API calls, and web attack attempts—essential for incident response and threat hunting.

Incident Response and Threat Hunting

Querying CloudTrail and WAF logs helps identify suspicious activity quickly.

Incident response examples:

  • Trace an unauthorized login attempt.
  • Investigate changes to security groups.
  • Detect unauthorized modifications to IAM roles or policies.
  • Identify unusual activity involving critical AWS services.
  • Investigate failed login attempts or access denials.

Threat hunting examples:

  • Query for unusual API calls originating from unfamiliar IP addresses.
  • Search for instances of privilege escalation involving IAM roles.
  • Identify spikes in denied requests from WAF logs.
  • Look for abnormal data transfer activities across regions.
  • Track unauthorized attempts to disable logging or monitoring.

Challenges

However, due to their scale, CloudTrail and WAF logs can present challenges to overcome.

These log sources can be voluminous, often reaching 1TB per day, which makes traditional SIEM solutions prohibitively expensive—potentially costing $1M or more per year.

If you have hundreds of terabytes or petabytes of these logs, and you need to query for an IP address or other IOCs, it can take 12 hours or more to run a query with Amazon Athena.

Also, due to their deeply nested JSON structure, querying with SQL can be cumbersome.

These roadblocks significantly slow down incident response time and make threat hunting workflows painful.

Solutions

Scanner offers a better approach. By indexing these logs directly in S3, Scanner provides fast, cost-effective search capabilities.

For volumes of 1TB or more, It is common to see cost savings of $500k or more compared to traditional SIEMs by using Scanner to search these logs directly in place in S3.

Incident response and threat hunting teams benefit from Scanner's speed, particularly for high-selectivity queries like IP address and IOC searches.

For example, finding an IP addresses or other IOC in a petabyte of logs will take tens of seconds, while Athena may take tens of hours.

Example Scenario
Credential and Identity Privilege Escalation

Imagine this: an analyst on your security team wants to answer a critical question: "Are we vulnerable to insider threats from employees who can access our AWS infrastructure?"

To investigate, the analyst decides to focus on credential and identity-based threats. Using Scanner, they set up detection rules to look for suspicious AWS actions, such as DeleteRolePolicy or DeleteUserPolicy—operations that might remove key security guardrails. They also watch for UpdateAssumeRolePolicy operations that could modify trust relationships between roles.

A few weeks later, an alert is triggered. The analyst dives into Scanner to search the AWS CloudTrail logs stored in S3, focusing on the event that triggered the alert. They discover that a policy was modified to give a specific user new permissions to create access key credentials on behalf of other users.

Curious, the analyst performs a statistical search using Scanner to look at the activity of this user over the past six months. They find that, historically, the user has had very little activity in AWS—typically performing just a few simple actions each month to a few metrics time series. The sudden privilege escalation to create new access key credentials stands out as a significant and potentially inappropriate action.

Since Scanner can quickly perform searches like this over large amounts of data in S3, this kind of querying over large time ranges is easy to do. There is no need to rehydrate or reingest logs back into a SIEM, which can take several hours and is expensive in terms of both ingest costs and wasted time for the security team.

To keep an eye on the situation, the analyst creates a saved search in Scanner to track all activity related to the user whose privileges were escalated. They also set up a new detection rule to watch for any further sensitive credential and identity-based operations by this user, including commands like CreateAccessKey and CreateLoginProfile on users who previously hadn't logged in to the AWS console.

With the context in hand, the analyst reaches out to the rest of the security team. Together, they contact the employee and their manager to understand what's happening, determine whether there's a legitimate reason for the change, and reduce the user's privileges back to an appropriate level if needed.

Using Scanner, the analyst was able to quickly detect, investigate, and respond to a potential insider threat—helping to protect the organization from unauthorized access.

Whether you're responding to incidents or hunting for threats, Scanner can help you quickly get to the answers you need.

Experience Scanner Today
Scanner Solutions
Use Cases
Reduce the Cost of SIEM and Log Search Tools AWS Cloud Activity Threat Monitoring Cloudflare Traffic Investigations Windows Event Threat Detection
Augment your SIEM
Scanner for Datadog Scanner for Elastic Scanner for Splunk