Cloud Compute Instance Started In Previously Unused Region

Description

This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Cloud Security

Alert Volume

This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Unused/Unsupported Cloud Regions

Unused/Unsupported Cloud Regions

Kill Chain Phases

Actions On Objectives

Data Sources

Cloud Infrastructure Data

   Help

Cloud Compute Instance Started In Previously Unused Region Help

You must be ingesting the appropriate cloud-infrastructure logs and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/) installed. Run the \"Previously Seen Cloud Compute Instance Types\" support search to create a baseline of previously seen regions.

   Search

Open in Search