forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathec2_instance_started_with_previously_unseen_ami.yml
More file actions
88 lines (88 loc) · 3.5 KB
/
ec2_instance_started_with_previously_unseen_ami.yml
File metadata and controls
88 lines (88 loc) · 3.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
asset_type: AWS Instance
baselines:
- id: bb1bd99d-1e93-45f1-9571-cfed42d372b9
name: Previously Seen EC2 AMIs
type: splunk
confidence: medium
creation_date: '2018-03-12'
data_metadata:
data_source:
- AWS CloudTrail logs
data_sourcetypes:
- aws:cloudtrail
providing_technologies:
- AWS
description: This search looks for EC2 instances being created with previously unseen
AMIs.
detect:
splunk:
correlation_rule:
notable:
nes_fields: dest
rule_description: The EC2 instance $dest$ was created with previously unused
AMI $amiID$
rule_title: EC2 Instance Type $dest$ Created With New AMI
risk:
risk_object: dest
risk_object_type:
- system
risk_score: 30
schedule:
cron_schedule: 0 * * * *
earliest_time: -70m@m
latest_time: -10m@m
search: sourcetype=aws:cloudtrail eventName=RunInstances [search sourcetype=aws:cloudtrail
eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime
latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId
| rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup
append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime)
as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime
>= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`
| where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId
| table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType
as instanceType, responseElements.instancesSet.items{}.instanceId as dest,
userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as
amiID | table firstTime, lastTime, arn, amiID, dest, instanceType
suppress:
suppress_fields: dest
suppress_period: 14400s
eli5: The subsearch returns the AMI image ID of all successful EC2 instance launches
within the last hour and then appends the historical data from the lookup file to
those results. It then recalculates the earliest and latest seen time field for
each AMI image ID and returns only those AMI image IDs that have first been seen
in the past hour. This is combined with the main search to return the time, user,
and instance id of those systems.
entities:
- dest
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
inputs. This search works best when you run the "Previously Seen EC2 AMIs" support
search once to create a history of previously seen AMIs.
id: 347ec301-601b-48b9-81aa-9ddf9c829dd3
investigations:
- id: 0e40fe83-3edb-4d86-8206-8fed36529ca6
name: Get EC2 Launch Details
type: splunk
known_false_positives: After a new AMI is created, the first systems created with
that AMI will cause this alert to fire. Verify that the AMI being used was created
by a legitimate user.
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
mappings:
cis20:
- CIS 1
nist:
- ID.AM
modification_date: '2018-03-12'
name: EC2 Instance Started With Previously Unseen AMI
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '1.0'