Techniques
Sample rules
Cloud Compute Instance Created In Previously Unused Region
- source: splunk
- technicques:
- T1535
Description
This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.
Detection logic
| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenRegion=min(firstTimeSeen)
| where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h")
| table firstTime, user, dest, count , vendor_region
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_in_previously_unused_region_filter`
EC2 Instance Started In Previously Unseen Region
- source: splunk
- technicques:
- T1535
Description
This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started
Detection logic
`cloudtrail` earliest=-1h StartInstances
| stats earliest(_time) as earliest latest(_time) as latest by awsRegion
| inputlookup append=t previously_seen_aws_regions.csv
| stats min(earliest) as earliest max(latest) as latest by awsRegion
| outputlookup previously_seen_aws_regions.csv
| eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), "Instance Started in a New Region","Previously Seen Region")
| `security_content_ctime(earliest)`
| `security_content_ctime(latest)`
| where regionStatus="Instance Started in a New Region"
| `ec2_instance_started_in_previously_unseen_region_filter`