after a new ami is created, the first systems created with that ami will cause this alert to fire. verify that the ami being used was created by a legitimate user.

Techniques

Sample rules

EC2 Instance Started With Previously Unseen AMI

source: splunk
technicques:

Description

This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel.

Detection logic

`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success 
| stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId 
| rename requestParameters.instancesSet.items{}.imageId as amiID 
| inputlookup append=t previously_seen_ec2_amis.csv 
| stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID 
| outputlookup previously_seen_ec2_amis.csv 
| eval newAMI=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) 
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)` 
| where newAMI=1 
| rename amiID as requestParameters.instancesSet.items{}.imageId 
| table requestParameters.instancesSet.items{}.imageId] 
| rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID 
| table firstTime, lastTime, arn, amiID, dest, instanceType 
| `ec2_instance_started_with_previously_unseen_ami_filter`