EC2 Instance Started In Previously Unseen Region

Description

This search looks for CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Cloud Security, SaaS

Alert Volume

This search looks for CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Unused/Unsupported Cloud Regions

Unused/Unsupported Cloud Regions

Kill Chain Phases

Actions On Objectives

Data Sources

AWS
Audit Trail

   Help

EC2 Instance Started In Previously Unseen Region Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the "Previously seen AWS Regions" support search only once to create of baseline of previously seen regions.

   Search

Open in Search