Cloud Compute Instance Created In Previously Unused Region

Description

This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Unused/Unsupported Cloud Regions

Unused/Unsupported Cloud Regions

Data Sources


   Help

Cloud Compute Instance Created In Previously Unused Region Help

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously Seen Cloud Regions - Initial to build the initial table of images observed and times. You must also enable the second baseline search Previously Seen Cloud Regions - Update to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the cloud_compute_instance_created_in_previously_unused_region_filter macro.

   Search

Open in Search