Navigation :

Cloud Compute Instance Created With Previously Unseen Instance Type

Description

Find EC2 instances being created with previously unseen instance types.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring

Alert Volume

Find EC2 instances being created with previously unseen instance types.

SPL Difficulty

None

Journey

Stage 3

Data Sources

Cloud Infrastructure Data

Help
Cloud Compute Instance Created With Previously Unseen Instance Type Help You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.

Help

Cloud Compute Instance Created With Previously Unseen Instance Type Help

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously Seen Cloud Compute Instance Types - Initial to build the initial table of instance types observed and times. You must also enable the second baseline search Previously Seen Cloud Compute Instance Types - Update to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the cloud_compute_instance_created_with_previously_unseen_instance_type_filter macro.

Search
\| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user \| `drop_dm_object_name("All_Changes")` \| `drop_dm_object_name("Instance_Changes")` \| where instance_type != "unknown" \| lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data \| eventstats max(enough_data) as enough_data \| where enough_data=1 \| eval firstTimeSeenInstanceType=min(firstTimeSeen) \| where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") \| table firstTime, user, dest, count, instance_type \| `security_content_ctime(firstTime)` \| `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` Open in Search

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`

Open in Search