forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpreviously_seen_cloud_compute_creations_by_user___update.yml
36 lines (36 loc) · 1.43 KB
/
previously_seen_cloud_compute_creations_by_user___update.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
name: Previously Seen Cloud Compute Creations By User - Update
id: 6bf75d69-7766-47bc-8097-e41696807a6f
version: 1
date: '2020-08-15'
author: Rico Valdez, Splunk
type: Baseline
datamodel:
- Change
description: This search builds a table of previously seen users that have launched
a cloud compute instance.
search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
from datamodel=Change where All_Changes.action=created AND All_Changes.object_category=instance
by All_Changes.user| `drop_dm_object_name("All_Changes")` | inputlookup append=t
previously_seen_cloud_compute_creations_by_user | stats min(firstTimeSeen) as firstTimeSeen
max(lastTimeSeen) as lastTimeSeen by user | where lastTimeSeen > relative_time(now(),
"-90d@d") | eventstats min(firstTimeSeen) as globalFirstTime | eval enough_data
= if(globalFirstTime <= relative_time(now(), "-7d@d"), 1, 0) | outputlookup previously_seen_cloud_compute_creations_by_user'
how_to_implement: You must be ingesting the approrpiate cloud infrastructure logs
and have the proper TAs installed.
known_false_positives: none
references: []
tags:
analytic_story:
- Cloud Cryptomining
detections:
- Cloud Compute Instance Created By Previously Unseen User
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Changes.action
- All_Changes.object_category
- All_Changes.user
security_domain: network