forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathget_ec2_launch_details.yml
36 lines (36 loc) · 1.45 KB
/
get_ec2_launch_details.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
name: Get EC2 Launch Details
id: 0e40fe83-3edb-4d86-8206-8fed36529ca6
version: 1
date: '2018-03-12'
author: Bhavin Patel, Splunk
type: Investigation
datamodel: []
description: This search returns some of the launch details for a EC2 instance.
search: '`cloudtrail` dest=$dest$ |rename userIdentity.arn as arn, responseElements.instancesSet.items{}.instanceId
as dest, responseElements.instancesSet.items{}.privateIpAddress as privateIpAddress,
responseElements.instancesSet.items{}.imageId as amiID, responseElements.instancesSet.items{}.architecture
as architecture, responseElements.instancesSet.items{}.keyName as keyName | table
arn, awsRegion, dest, architecture, privateIpAddress, amiID, keyName'
how_to_implement: In order to implement this search, you must install the AWS App
for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS(version 4.4.0 or later)
and configure your AWS description inputs.
known_false_positives: ''
references: []
tags:
analytic_story:
- AWS Cryptomining
- Cloud Cryptomining
- Suspicious AWS EC2 Activities
- AWS Security Hub Alerts
product:
- Splunk Phantom
required_fields:
- _time
- dest
- userIdentity.arn
- responseElements.instancesSet.items{}.instanceId
- responseElements.instancesSet.items{}.privateIpAddress
- responseElements.instancesSet.items{}.imageId
- responseElements.instancesSet.items{}.architecture
- responseElements.instancesSet.items{}.keyName
security_domain: network