Cloud Compute Instance Created In Previously Unused Region
Description
This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change- Datasource: Splunk Add-on for Amazon Kinesis Firehose
- Last Updated: 2020-09-02
- Author: David Dorsey, Splunk
- ID: fa4089e2-50e3-40f7-8469-d2cc1564ca59
Annotations
ATT&CK
ID | Technique | Tactic |
---|---|---|
T1535 | Unused/Unsupported Cloud Regions | Defense Evasion |
Kill Chain Phase
- Actions on Objectives
NIST
- DE.DP
- DE.AE
CIS20
- CIS 12
CVE
Search
1
2
3
4
5
6
7
8
9
10
11
| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenRegion=min(firstTimeSeen)
| where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h")
| table firstTime, user, dest, count , vendor_region
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_in_previously_unused_region_filter`
Macros
The SPL above uses the following Macros:
Note that cloud_compute_instance_created_in_previously_unused_region_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Lookups
The SPL above uses the following Lookups:
Required field
- _time
- All_Changes.object_id
- All_Changes.action
- All_Changes.vendor_region
- All_Changes.user
How To Implement
You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously Seen Cloud Regions - Initial
to build the initial table of images observed and times. You must also enable the second baseline search Previously Seen Cloud Regions - Update
to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the cloud_compute_instance_created_in_previously_unused_region_filter
macro.
Known False Positives
It’s possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.
Associated Analytic story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
42.0 | 70 | 60 | User $user$ is creating an instance $dest$ in a new region for the first time |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1