Name:Cloud Compute Instance Created By Previously Unseen User id:37a0ec8d-827e-4d6d-8025-cedf31f3a149 version:4 date:2024-10-17 author:Rico Valdez, Splunk status:experimental type:Anomaly Description:The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment. Data_source:
-AWS CloudTrail
search:| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`
how_to_implement:You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users. known_false_positives:It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior. References: drilldown_searches:
: tags: analytic_story: - 'Cloud Cryptomining' asset_type:Cloud Compute Instance confidence:60 impact:30 message:User $user$ is creating a new instance $dest$ for the first time mitre_attack_id: - 'T1078.004' - 'T1078' observable: name:'user' type:'User' - role: - 'Attacker' name:'dest' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'All_Changes.object' - 'All_Changes.action' - 'All_Changes.user' - 'All_Changes.vendor_region' risk_score:18 security_domain:threat
