Navigation :

Cloud Compute Instance Created With Previously Unseen Instance Type

Description

Find EC2 instances being created with previously unseen instance types.

Help
Cloud Compute Instance Created With Previously Unseen Instance Type Help You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.

Help

Cloud Compute Instance Created With Previously Unseen Instance Type Help

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously Seen Cloud Compute Instance Types - Initial to build the initial table of instance types observed and times. You must also enable the second baseline search Previously Seen Cloud Compute Instance Types - Update to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the cloud_compute_instance_created_with_previously_unseen_instance_type_filter macro.

Search
\| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user \| `drop_dm_object_name("All_Changes")` \| `drop_dm_object_name("Instance_Changes")` \| where instance_type != "unknown" \| lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data \| eventstats max(enough_data) as enough_data \| where enough_data=1 \| eval firstTimeSeenInstanceType=min(firstTimeSeen) \| where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") \| table firstTime, user, dest, count, instance_type \| `security_content_ctime(firstTime)` \| `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` Open in Search

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`

Open in Search

Baseline Generation Searches
This detection relies on the following searches to generate the baseline lookup. Previously Seen Cloud Compute Instance Types - Initial Previously Seen Cloud Compute Instance Types - Update

Baseline Generation Searches

This detection relies on the following searches to generate the baseline lookup.

Previously Seen Cloud Compute Instance Types - Initial
Previously Seen Cloud Compute Instance Types - Update