Name:EC2 Instance Started In Previously Unseen Region id:ada0f478-84a8-4641-a3f3-d82362d6fd75 version:3 date:2024-10-17 author:Bhavin Patel, Splunk status:deprecated type:Anomaly Description:This search looks for AWS CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started Data_source:
search:`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), "Instance Started in a New Region","Previously Seen Region") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus="Instance Started in a New Region" | `ec2_instance_started_in_previously_unseen_region_filter`
how_to_implement:You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. Run the "Previously seen AWS Regions" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel. known_false_positives:It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate. References: drilldown_searches:
: tags: analytic_story: - 'AWS Cryptomining' - 'Suspicious AWS EC2 Activities' asset_type:AWS Instance confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1535' observable: name:'awsRegion' type:'Geo Location' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'awsRegion' risk_score:25.0 security_domain:network
