forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
previously_seen_aws_regions.yml
34 lines (34 loc) · 1.13 KB
/
previously_seen_aws_regions.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
name: Previously Seen AWS Regions
id: fc0edc95-ff2b-48b0-9f6f-63da3789fd63
version: 1
date: '2018-01-08'
author: Bhavin Patel, Splunk
type: Baseline
datamodel: []
description: This search looks for CloudTrail events where an AWS instance is started
and creates a baseline of most recent time (latest) and the first time (earliest)
we've seen this region in our dataset grouped by the value awsRegion for the last
30 days
search: '`cloudtrail` StartInstances | stats earliest(_time) as earliest latest(_time)
as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | stats count'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
inputs.
known_false_positives: none
references: []
tags:
analytic_story:
- AWS Cryptomining
- Suspicious AWS EC2 Activities
deployments:
- Daily Cache Updates
detections:
- EC2 Instance Started In Previously Unseen Region
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- awsRegion
security_domain: network