LoFP LoFP / it is possible that an admin will create a new system using a new instance type that has never been used before. verify with the creator that they intended to create the system with the new instance type.

Techniques

Sample rules

Cloud Compute Instance Created With Previously Unseen Instance Type

Description

The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk’s tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.

Detection logic


| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user 
| `drop_dm_object_name("All_Changes")` 
| `drop_dm_object_name("Instance_Changes")` 
| where instance_type != "unknown" 
| lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data 
| eventstats max(enough_data) as enough_data 
| where enough_data=1 
| eval firstTimeSeenInstanceType=min(firstTimeSeen) 
| where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") 
| table firstTime, user, dest, count, instance_type 
| `security_content_ctime(firstTime)` 
| `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`