Navigation :

EC2 Instance Started With Previously Unseen Instance Type

Description

This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel.

Help
EC2 Instance Started With Previously Unseen Instance Type Help You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Instance Types" support search once to create a history of previously seen instance types.

Help

EC2 Instance Started With Previously Unseen Instance Type Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Instance Types" support search once to create a history of previously seen instance types.

Search
`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success \| fillnull value="m1.small" requestParameters.instanceType \| stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType \| rename requestParameters.instanceType as instanceType \| inputlookup append=t previously_seen_ec2_instance_types.csv \| stats min(earliest) as earliest max(latest) as latest by instanceType \| outputlookup previously_seen_ec2_instance_types.csv \| eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) \| `security_content_ctime(earliest)` \| `security_content_ctime(latest)` \| where newType=1 \| rename instanceType as requestParameters.instanceType \| table requestParameters.instanceType] \| spath output=user userIdentity.arn \| rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest \| table _time, user, dest, instanceType \| `ec2_instance_started_with_previously_unseen_instance_type_filter` Open in Search

Search

`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value="m1.small" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`

Open in Search

Baseline Generation Searches
This detection relies on the following search to generate the baseline lookup. Previously Seen EC2 Instance Types

Baseline Generation Searches

This detection relies on the following search to generate the baseline lookup.

Previously Seen EC2 Instance Types