-
Notifications
You must be signed in to change notification settings - Fork 375
/
previously_seen_cloud_regions___initial.yml
41 lines (41 loc) · 1.43 KB
/
previously_seen_cloud_regions___initial.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: Previously Seen Cloud Regions - Initial
id: b5e232db-dec6-4db8-aaa1-dd5474521e40
version: 1
date: '2020-09-02'
author: David Dorsey, Splunk
type: Baseline
datamodel:
- Change
description: This search looks for cloud compute events where a compute instance is
started and creates a baseline of most recent time, `lastTime` and the first time
`firstTime` we've seen this region in our dataset grouped by the region for the
last 30 days
search: '| tstats earliest(_time) as firstTimeSeen, latest(_time) as lastTimeSeen
from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region
| `drop_dm_object_name("All_Changes")` | eventstats min(firstTimeSeen) as globalFirstTime
| eval enough_data = if(globalFirstTime <= relative_time(now(), "-14d@d"), 1, 0)
| outputlookup previously_seen_cloud_regions'
how_to_implement: You must be ingesting the approrpiate cloud infrastructure logs
and have the Security Research cloud data model installed.
known_false_positives: none
references: []
tags:
analytic_story:
- Cloud Cryptomining
detections:
- Cloud Compute Instance Created In Previously Unused Region
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Changes.action
- All_Changes.vendor_region
security_domain: network
deployment:
scheduling:
cron_schedule: 0 2 * * 0
earliest_time: -90d@d
latest_time: -1d@d
schedule_window: auto