forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathpreviously_seen_ec2_modifications.yml
More file actions
42 lines (42 loc) · 1.53 KB
/
previously_seen_ec2_modifications.yml
File metadata and controls
42 lines (42 loc) · 1.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
baseline:
splunk:
schedule:
cron_schedule: ''
earliest_time: -90d@d
latest_time: -10m@m
search: sourcetype=aws:cloudtrail `ec2_modification_api_calls` errorCode=success | spath
output=arn userIdentity.arn | stats earliest(_time) as firstTime latest(_time)
as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user
| stats count
creation_date: '2018-04-05'
data_metadata:
data_source:
- AWS CloudTrail logs
data_sourcetypes:
- aws:cloudtrail
providing_technologies:
- AWS
description: This search builds a table of previously seen ARNs that have launched
a EC2 instance.
eli5: In this support search, we create a table of the earliest and latest times that
an ARN has modified a EC2 instance. The list of APIs that modify an EC2 are defined
in the `ec2_modification_api_calls` macro for ease of use. This table is then outputted
to a file.
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.
id: 4d69091b-d975-4267-85df-888bd41034eb
known_false_positives: ''
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2018-04-05'
name: Previously Seen EC2 Modifications By User
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
spec_version: 2
type: splunk
version: '1.0'