baseline_cloud_compute_regions.yml

baseline:
  splunk:
    lookups:
      - previously_seen_cloud_regions
    macros:
      - previously_seen_cloud_regions_input_filter
    schedule:
      cron_schedule: ''
      earliest_time: -30d@d
      latest_time: -10m@m
    search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from
      datamodel=Cloud_Infrastructure.Compute where Compute.action=start `previously_seen_cloud_regions_input_filter`
      by Compute.region | `drop_dm_object_name("Compute")` | outputlookup previously_seen_cloud_regions
      | stats count'
creation_date: '2019-10-02'
data_metadata:
  data_models:
    - Cloud_Infrastructure
  data_source:
    - Cloud Infrastructure Logs
  providing_technologies:
    - AWS
    - Azure
    - GCP
description: This search looks for cloud compute events where a compute instance is
  started and creates a baseline of most recent time, `lastTime` and the first time
  `firstTime` we've seen this region in our dataset grouped by the region for the
  last 30 days
eli5: In this support search, we create a table of the first time `firstTime` and
  most recent time `lastTime` that this region has been seen in our dataset, grouped
  by the region. We only look for those events where an instance has been started.
  All of these entries will be added to the `previously_seen_cloud_regions` lookup
  file, which will act like a baseline for detections.
how_to_implement: You must be ingesting the approrpiate cloud infrastructure logs
  and have the Security Research cloud data model installed.
id: b5e232db-dec6-4db8-aaa1-dd5474521e40
known_false_positives: ''
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
modification_date: '2019-10-02'
name: Previously Seen Cloud Regions
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
spec_version: 2
type: splunk
version: '1.0'