security-content/detections/cloud_compute_instance_created_with_previously_unseen_image_id.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
asset_type: Cloud Compute Instance
baselines:
  - id: 3782ad10-5ce2-46e2-b9c4-1de9ecd3aecc
    name: Previously Seen Cloud Compute Images
    type: splunk
confidence: medium
creation_date: '2019-10-03'
data_metadata:
  data_models:
    - Cloud_Infrastructure
  data_source:
    - Cloud Infrastructure Logs
  providing_technologies:
    - AWS
    - Azure
    - GCP
description: This search looks for cloud compute instances being created with previously
  unseen image IDs.
detect:
  splunk:
    correlation_rule:
      lookups:
        - previously_seen_cloud_compute_images
      macros:
        - previously_seen_cloud_compute_image_input_filter
        - previously_seen_cloud_compute_image_search_window_begin_offset
      notable:
        drilldown_name: Show all instances created with image $image_id$
        drilldown_search: '| from datamodel:Cloud_Infrastructure.Compute | image_id=$image_id$'
        nes_fields: dest
        rule_description: The cloud compute instance $dest$ was created with previously
          unused image $image_id$.
        rule_title: Cloud Compute Instances Created With New Image
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 30
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(Compute.dest)
        as dest from datamodel=Cloud_Infrastructure.Compute where Compute.action=run `previously_seen_cloud_compute_image_input_filter`
        by Compute.image_id, Compute.src_user | `drop_dm_object_name("Compute")` |
        inputlookup append=t previously_seen_cloud_compute_images | stats min(firstTime)
        as firstTime max(lastTime) as lastTime, values(dest) as dest by image_id,
        src_user | multireport [| table image_id, firstTime, lastTime | outputlookup
        previously_seen_cloud_compute_images | where fact=fiction][| eval new_image=if(firstTime
        >= relative_time(now(), `previously_seen_cloud_compute_image_search_window_begin_offset`), 1, 0) | where new_image=1 | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`] | table image_id, dest, src_user, firstTime, lastTime'
      suppress:
        suppress_fields: dest
        suppress_period: 14400s
eli5: For each image ID and user, the search returns the first time seen, last time seen, and the systems. It then appends the historical data and merges it into the
  data. The search then splits and outputs the updated times for each image back to
  the lookup file and clears out any output. The other part of the search limits
  the results to when the image was seen for the first time within the previous 70 minutes. It then displays the new image, the instances created using it, the
  user who created it, and the associated times.
entities:
  - dest
  - src_user
how_to_implement: You must be ingesting the appropriate cloud-infrastructure logs
  and have the Security Research cloud data model (https://github.com/splunk/cloud-datamodel-security-research/)
  installed. Run the "Previously Seen Cloud Compute Images" support search to create
  a baseline of previously seen images.
id:  bc24922d-987c-4645-b288-f8c73ec194c4
investigations:
  - id: 2ef6310f-8e79-42af-b20b-b4eeaba9608a
    name: Investigate User Activities In All Cloud Regions
    type: splunk
  - id: 33a95cf2-900c-4636-8fca-5c5f71474720
    name: Investigate Cloud Compute Instance Activities
    type: splunk
known_false_positives: After a new image is created, the first systems created with
  that image will cause this alert to fire.  Verify that the image being used was
  created by a legitimate user.
maintainers:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
mappings:
  cis20:
    - CIS 1
  nist:
    - ID.AM
modification_date: '2018-10-12'
name: Cloud Compute Instance Created With Previously Unseen Image
original_authors:
  - company: Splunk
    email: davidd@splunk.com
    name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '1.0'