Cloud Compute Instance Created In Previously Unused Region

Description

This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.

   Help

Cloud Compute Instance Created In Previously Unused Region Help

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously Seen Cloud Regions - Initial to build the initial table of images observed and times. You must also enable the second baseline search Previously Seen Cloud Regions - Update to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the cloud_compute_instance_created_in_previously_unused_region_filter macro.

   Search

Open in Search

   Baseline Generation Searches

This detection relies on the following searches to generate the baseline lookup.

  • Previously Seen Cloud Regions - Initial
  • Previously Seen Cloud Regions - Update