it's possible that a user will start to create compute instances for the first time, for any number of reasons. verify with the user launching instances that this is the intended behavior.

Techniques

Sample rules

Cloud Compute Instance Created By Previously Unseen User

source: splunk
technicques:
- T1078.004
- T1078

Description

The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on ‘create’ actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.

Detection logic


| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region 
| `drop_dm_object_name("All_Changes")` 
| lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data 
| eventstats max(enough_data) as enough_data 
| where enough_data=1 
| eval firstTimeSeenUser=min(firstTimeSeen) 
| where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") 
| table firstTime, user, dest, count vendor_region 
| `security_content_ctime(firstTime)` 
| `cloud_compute_instance_created_by_previously_unseen_user_filter`