This search looks for cloud compute instances created by users who have not created them before.
- Type: Anomaly
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change
- Last Updated: 2021-07-13
- Author: Rico Valdez, Splunk
- ID: 37a0ec8d-827e-4d6d-8025-cedf31f3a149
|T1078.004||Cloud Accounts||Defense Evasion, Persistence, Privilege Escalation, Initial Access|
| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`
Associated Analytic Story
How To Implement
You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users.
Kill Chain Phase
Known False Positives
It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.
|18.0||30||60||User $user$ is creating a new instance $dest$ for the first time|
source | version: 2