/
previously_seen_cloud_compute_instance_types___update.yml
35 lines (35 loc) · 1.46 KB
/
previously_seen_cloud_compute_instance_types___update.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
name: Previously Seen Cloud Compute Instance Types - Update
id: 7b7ef9ab-acb9-4e07-af76-4cf1e722885c
version: 1
date: '2020-09-03'
author: David Dorsey, Splunk
type: Baseline
datamodel:
- Change
description: This search builds a table of previously seen cloud compute instance
types
search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type
| `drop_dm_object_name("All_Changes.Instance_Changes")` | where instance_type !=
"unknown" | inputlookup append=t previously_seen_cloud_compute_instance_types |
stats min(firstTimeSeen) as firstTimeSeen max(lastTimeSeen) as lastTimeSeen by instance_type
| where lastTimeSeen > relative_time(now(), `previously_seen_cloud_compute_instance_type_forget_window`)
| eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data = if(globalFirstTime
<= relative_time(now(), "-14d@d"), 1, 0) | outputlookup previously_seen_cloud_compute_instance_types'
how_to_implement: You must be ingesting the approrpiate cloud infrastructure logs
known_false_positives: none
references: []
tags:
analytic_story:
- Cloud Cryptomining
detections:
- Cloud Compute Instance Created With Previously Unseen Instance Type
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Changes.action
- All_Changes.Instance_Changes.instance_type
security_domain: network