dashboard
WEEK_4 · DAY_28 · 1 HOUR
Cloud & SaaS Detection
AWS, Azure/Entra ID, O365, Okta — modern attack surface
Learning Objectives
- ›Onboard CloudTrail, Azure Activity Log, O365 Unified Audit, Okta
- ›Detect impossible travel, MFA fatigue, OAuth abuse
- ›Use Splunk Add-ons for major clouds
- ›Map cloud attack TTPs (T1078.004, T1098.005, T1556.006)
Module 1 — Cloud Log Sources
AWS CloudTrail (control plane), VPC Flow (data plane), GuardDuty (alerts).
Azure: Activity Log + Sign-in Logs + Audit Logs (Entra ID).
O365: Unified Audit Log via Management Activity API.
Okta System Log via API.
All available as Splunkbase TAs (Splunk Add-on for AWS, etc.).
Module 2 — Top Cloud Detections
Impossible travel — same user, two distant geos in short window.
MFA fatigue — 5+ MFA prompts denied in 5 minutes.
OAuth app consent — new high-privilege OAuth grant.
Disabled MFA — user disables their own MFA.
S3 bucket made public.
SPL Queries
Impossible travel
index=okta event_type=user.session.start | iplocation src_ip | stats earliest(_time) as first latest(_time) as last values(Country) as countries dc(Country) as country_count by user | where country_count > 1 AND (last - first) < 3600
// Multi-country logon within 1 hour for same user.
MFA fatigue
index=okta event_type=user.authentication.auth_via_mfa outcome.result=FAILURE | stats count by user, _time span=5m | where count > 5
// 5+ failed MFA in 5 min = push-bombing.
Lab 28 — Cloud Detection
- Open Splunk → Search.
- Run the impossible travel query.
- Run the MFA fatigue query.
- List 3 more cloud detections you'd build first.
Key Takeaways
- ✓Cloud is the new attack surface — log it all
- ✓Splunk TAs for AWS / Azure / O365 / Okta are mandatory
- ✓Identity is the new perimeter