Navigation :

EC2 Instance Started With Previously Unseen Instance Type

Description

This search looks for EC2 instances being created with previously unseen instance types.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Advanced Threat Detection

Alert Volume

This search looks for EC2 instances being created with previously unseen instance types.

SPL Difficulty

None

Journey

Stage 3

Data Sources

AWS

Audit Trail

Help
EC2 Instance Started With Previously Unseen Instance Type Help You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Instance Types" support search once to create a history of previously seen instance types.

Help

EC2 Instance Started With Previously Unseen Instance Type Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Instance Types" support search once to create a history of previously seen instance types.

Search
`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success \| fillnull value="m1.small" requestParameters.instanceType \| stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType \| rename requestParameters.instanceType as instanceType \| inputlookup append=t previously_seen_ec2_instance_types.csv \| stats min(earliest) as earliest max(latest) as latest by instanceType \| outputlookup previously_seen_ec2_instance_types.csv \| eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) \| `security_content_ctime(earliest)` \| `security_content_ctime(latest)` \| where newType=1 \| rename instanceType as requestParameters.instanceType \| table requestParameters.instanceType] \| spath output=user userIdentity.arn \| rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest \| table _time, user, dest, instanceType \| `ec2_instance_started_with_previously_unseen_instance_type_filter` Open in Search

Search

`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value="m1.small" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`

Open in Search