forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathpreviously_seen_cloud_compute_creations_by_user.yml
More file actions
45 lines (45 loc) · 1.54 KB
/
previously_seen_cloud_compute_creations_by_user.yml
File metadata and controls
45 lines (45 loc) · 1.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
baseline:
splunk:
lookups:
- previously_seen_cloud_compute_creations_by_user
macros:
- previously_seen_cloud_compute_creations_by_user_input_filter
schedule:
cron_schedule: ''
earliest_time: -90d@d
latest_time: -10m@m
search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from
datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_creations_by_user_input_filter`
by Compute.src_user | `drop_dm_object_name("Compute")` | outputlookup previously_seen_cloud_compute_creations_by_user
| stats count'
creation_date: '2019-10-03'
data_metadata:
data_models:
- Cloud_Infrastructure
data_source:
- Cloud Infrastructure Logs
providing_technologies:
- AWS
- Azure
- GCP
description: This search builds a table of previously seen users that have launched
a cloud compute instance.
eli5: In this support search, we create a table of the earliest and latest time for
each user that has created a cloud compute instance.
how_to_implement: You must be ingesting the approrpiate cloud infrastructure logs
and have the Security Research cloud data model installed.
id: 9fa1c205-4e08-4681-bb1b-d0943e734b85
known_false_positives: ''
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2018-03-15'
name: Previously Seen Cloud Compute Creations By User
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
spec_version: 2
type: splunk
version: '1.0'