forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathpreviously_seen_ec2_amis.yml
More file actions
40 lines (40 loc) · 1.32 KB
/
previously_seen_ec2_amis.yml
File metadata and controls
40 lines (40 loc) · 1.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
baseline:
splunk:
schedule:
cron_schedule: ''
earliest_time: -90d@d
latest_time: -10m@m
search: sourcetype=aws:cloudtrail eventName=RunInstances errorCode=success | rename
requestParameters.instancesSet.items{}.imageId as amiID | stats earliest(_time)
as firstTime latest(_time) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv
| stats count
creation_date: '2018-03-12'
data_metadata:
data_source:
- AWS CloudTrail logs
data_sourcetypes:
- aws:cloudtrail
providing_technologies:
- AWS
description: This search builds a table of previously seen AMIs used to launch EC2
instances
eli5: In this support search, we create a table of the earliest and latest time that
a specific AMI ID has been seen. This table is then outputted to a csv file.
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
inputs.
id: bb1bd99d-1e93-45f1-9571-cfed42d372b9
known_false_positives: ''
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2018-03-12'
name: Previously Seen EC2 AMIs
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
spec_version: 2
type: splunk
version: '1.0'