after a new image is created, the first systems created with that image will cause this alert to fire. verify that the image being used was created by a legitimate user.

Techniques

Sample rules

Cloud Compute Instance Created With Previously Unseen Image

source: splunk
technicques:

Description

The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats.

Detection logic


| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user 
| `drop_dm_object_name("All_Changes")` 
| `drop_dm_object_name("Instance_Changes")` 
| where image_id != "unknown" 
| lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data 
| eventstats max(enough_data) as enough_data 
| where enough_data=1 
| eval firstTimeSeenImage=min(firstTimeSeen) 
| where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h") 
| table firstTime, user, image_id, count, dest 
| `security_content_ctime(firstTime)` 
| `cloud_compute_instance_created_with_previously_unseen_image_filter`