forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathbaseline_aws_regions.yml
More file actions
45 lines (45 loc) · 1.69 KB
/
baseline_aws_regions.yml
File metadata and controls
45 lines (45 loc) · 1.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
baseline:
splunk:
schedule:
cron_schedule: ''
earliest_time: -30d@d
latest_time: -10m@m
search: sourcetype=aws:cloudtrail StartInstances | stats earliest(_time) as earliest
latest(_time) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv
| stats count
creation_date: '2018-01-08'
data_metadata:
data_source:
- AWS CloudTrail logs
data_sourcetypes:
- aws:cloudtrail
providing_technologies:
- AWS
description: This search looks for CloudTrail events where an AWS instance is started
and creates a baseline of most recent time (latest) and the first time (earliest)
we've seen this region in our dataset grouped by the value awsRegion for the last
30 days
eli5: In this support search, we create a table of the first time (earliest) and most
recent time (latest) that this region has been seen in our dataset, grouped by the
value `awsRegion`. We only look for those events where an instance has been started.
All of these entries will be added to the `previously_seen_aws_regions.csv` lookup
file, which will act like a baseline for detections. Please validate the entries
of region names in the lookup file.
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
inputs.
id: fc0edc95-ff2b-48b0-9f6f-63da3789fd63
known_false_positives: ''
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2018-01-08'
name: Previously Seen AWS Regions
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
spec_version: 2
type: splunk
version: '1.0'