forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathpreviously_seen_cloud_compute_images.yml
More file actions
45 lines (45 loc) · 1.51 KB
/
previously_seen_cloud_compute_images.yml
File metadata and controls
45 lines (45 loc) · 1.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
baseline:
splunk:
lookups:
- previously_seen_cloud_compute_images
macros:
- previously_seen_cloud_compute_image_input_filter
schedule:
cron_schedule: ''
earliest_time: -90d@d
latest_time: -10m@m
search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime from
datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_image_input_filter`
by Compute.image_id | `drop_dm_object_name("Compute")` | outputlookup previously_seen_cloud_compute_images
| stats count'
creation_date: '2019-10-03'
data_metadata:
data_models:
- Cloud_Infrastructure
data_source:
- Cloud Infrastructure Logs
providing_technologies:
- AWS
- Azure
- GCP
description: This search builds a table of previously seen images used to launch cloud
compute instances
eli5: In this support search, we create a table of the earliest and latest time for
each image id that has been seen. This table is then outputted to a csv file.
how_to_implement: You must be ingesting the approrpiate cloud infrastructure logs
and have the Security Research cloud data model installed.
id: 3782ad10-5ce2-46e2-b9c4-1de9ecd3aecc
known_false_positives: ''
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2018-03-12'
name: Previously Seen Cloud Compute Images
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
spec_version: 2
type: splunk
version: '1.0'