EC2 Instance Started With Previously Unseen User

Description

This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel.

   Help

EC2 Instance Started With Previously Unseen User Help

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs.

   Search

Open in Search

   Baseline Generation Searches

This detection relies on the following search to generate the baseline lookup.

  • Previously Seen EC2 Launches By User