forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
baseline_of_cloud_instances_destroyed.yml
53 lines (52 loc) · 2.62 KB
/
baseline_of_cloud_instances_destroyed.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: Baseline Of Cloud Instances Destroyed
id: a2f701f8-5296-4d74-829c-0b7eb346d549
version: 1
date: '2020-08-25'
author: David Dorsey, Splunk
type: Baseline
datamodel:
- Change
description: This search is used to build a Machine Learning Toolkit (MLTK) model
for how many instances are destroyed in the environment. By default, the search
uses the last 90 days of data to build the model and the model is rebuilt weekly.
The model created by this search is then used in the corresponding detection search,
which identifies subsequent outliers in the number of instances destroyed in a small
time window.
search: '| tstats count as instances_destroyed from datamodel=Change where All_Changes.action=deleted
AND All_Changes.status=success AND All_Changes.object_category=instance by _time
span=1h | makecontinuous span=1h _time | eval instances_destroyed=coalesce(instances_destroyed,
(random()%2)*0.0000000001) | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4
| eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek
<= 5, 0, 1) | table _time instances_destroyed, HourOfDay, isWeekend | fit DensityFunction
instances_destroyed by "HourOfDay,isWeekend" into cloud_excessive_instances_destroyed_v1
dist=expon show_density=true'
how_to_implement: 'You must have Enterprise Security 6.0 or later, if not you will
need to verify that the Machine Learning Toolkit (MLTK) version 4.2 or later is
installed, along with any required dependencies. Depending on the number of users
in your environment, you may also need to adjust the value for max_inputs in the
MLTK settings for the DensityFunction algorithm, then ensure that the search completes
in a reasonable timeframe. By default, the search builds the model using the past
30 days of data. You can modify the search window to build the model over a longer
period of time, which may give you better results. You may also want to periodically
re-run this search to rebuild the model with the latest data.\
More information on the algorithm used in the search can be found at `https://docs.splunk.com/Documentation/MLApp/4.2.0/User/Algorithms#DensityFunction`.'
known_false_positives: none
references: []
tags:
analytic_story:
- Suspicious Cloud Instance Activities
- Cloud Cryptomining
deployments:
- Weekly Model Rebuild 90 Day Lookback
detections:
- Abnormally High Number Of Cloud Instances Destroyed
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Changes.action
- All_Changes.status
- All_Changes.object_category
security_domain: network