back to day 28
WEEK_4 · DAY_28 · LAB
Lab 28 — Cloud Detection
AWS, Azure/Entra ID, O365, Okta — modern attack surface
LAB PROGRESS0/4 steps · 0%
Lab Objectives
- ›Onboard CloudTrail, Azure Activity Log, O365 Unified Audit, Okta
- ›Detect impossible travel, MFA fatigue, OAuth abuse
- ›Use Splunk Add-ons for major clouds
- ›Map cloud attack TTPs (T1078.004, T1098.005, T1556.006)
Lab Instructions
- 1Open Splunk → Search.
- 2Run the impossible travel query.
- 3Run the MFA fatigue query.
- 4List 3 more cloud detections you'd build first.
SPL for this Lab
Impossible travel open in Splunk
index=okta event_type=user.session.start | iplocation src_ip | stats earliest(_time) as first latest(_time) as last values(Country) as countries dc(Country) as country_count by user | where country_count > 1 AND (last - first) < 3600
// Multi-country logon within 1 hour for same user.
MFA fatigue open in Splunk
index=okta event_type=user.authentication.auth_via_mfa outcome.result=FAILURE | stats count by user, _time span=5m | where count > 5
// 5+ failed MFA in 5 min = push-bombing.