| ID | Technique | Tactic |
|---|---|---|
| T1078.004 | Cloud Accounts | Initial Access |
Detection: Cloud Compute Instance Created By Previously Unseen User
Description
The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.
Search
1
2| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest FROM datamodel=Change
3 WHERE All_Changes.action=created
4 BY All_Changes.user All_Changes.vendor_region
5
6| `drop_dm_object_name("All_Changes")`
7
8| lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data
9
10| eventstats max(enough_data) as enough_data
11
12| where enough_data=1
13
14| eval firstTimeSeenUser=min(firstTimeSeen)
15
16| where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h")
17
18| table firstTime, user, dest, count vendor_region
19
20| `security_content_ctime(firstTime)`
21
22| `cloud_compute_instance_created_by_previously_unseen_user_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| AWS CloudTrail |  AWS |
'aws:cloudtrail' |
'aws_cloudtrail' |
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| cloud_compute_instance_created_by_previously_unseen_user_filter | search * |
cloud_compute_instance_created_by_previously_unseen_user_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
Exploitation
Installation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.
Implementation
You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users.
Known False Positives
It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| User $user$ is creating a new instance $dest$ for the first time | user | user | 20 |
| User $user$ is creating a new instance $dest$ for the first time | dest | system | 20 |
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
| Integration | ✅ Passing | Dataset | aws_cloudtrail |
aws:cloudtrail |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 12