Cloud Provisioning Activity From Previously Unseen IP Address

Description

This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion
Persistence
Privilege Escalation
Initial Access

MITRE ATT&CK Techniques

Valid Accounts

Valid Accounts

MITRE Threat Groups

APT18
APT28
APT33
APT39
APT41
Carbanak
Chimera
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Sandworm Team
Silence
Soft Cell
Suckfly
TEMP.Veles
Threat Group-3390
Wizard Spider
menuPass

Data Sources


   Help

Cloud Provisioning Activity From Previously Unseen IP Address Help

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously Seen Cloud Provisioning Activity Sources - Initial to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search Previously Seen Cloud Provisioning Activity Sources - Update to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the previously_unseen_cloud_provisioning_activity_window macro. You can also provide additional filtering for this search by customizing the cloud_provisioning_activity_from_previously_unseen_ip_address_filter macro.

   Search

Open in Search