LoFP LoFP / it is possible that an admin will create a new system using a new instance type never used before. verify with the creator that they intended to create the system with the new instance type.

Sample rules

EC2 Instance Started With Previously Unseen Instance Type

Description

This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel.

Detection logic

`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success 
| fillnull value="m1.small" requestParameters.instanceType 
| stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType 
| rename requestParameters.instanceType as instanceType 
| inputlookup append=t previously_seen_ec2_instance_types.csv 
| stats min(earliest) as earliest max(latest) as latest by instanceType 
| outputlookup previously_seen_ec2_instance_types.csv 
| eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) 
| `security_content_ctime(earliest)` 
| `security_content_ctime(latest)` 
| where newType=1 
| rename instanceType as requestParameters.instanceType 
| table requestParameters.instanceType] 
| spath output=user userIdentity.arn 
| rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest 
| table _time, user, dest, instanceType 
| `ec2_instance_started_with_previously_unseen_instance_type_filter`

Cloud Compute Instance Created With Previously Unseen Instance Type

Description

The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk’s tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.

Detection logic


| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user 
| `drop_dm_object_name("All_Changes")` 
| `drop_dm_object_name("Instance_Changes")` 
| where instance_type != "unknown" 
| lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data 
| eventstats max(enough_data) as enough_data 
| where enough_data=1 
| eval firstTimeSeenInstanceType=min(firstTimeSeen) 
| where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") 
| table firstTime, user, dest, count, instance_type 
| `security_content_ctime(firstTime)` 
| `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`