forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpreviously_seen_ec2_modifications_by_user.yml
More file actions
31 lines (31 loc) · 1.12 KB
/
previously_seen_ec2_modifications_by_user.yml
File metadata and controls
31 lines (31 loc) · 1.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
name: Previously Seen EC2 Modifications By User
id: 4d69091b-d975-4267-85df-888bd41034eb
version: 1
date: '2018-04-05'
author: David Dorsey, Splunk
type: Baseline
datamodel: []
description: This search builds a table of previously seen ARNs that have launched
a EC2 instance.
search: '`cloudtrail` `ec2_modification_api_calls` errorCode=success | spath output=arn
userIdentity.arn | stats earliest(_time) as firstTime latest(_time) as lastTime
by arn | outputlookup previously_seen_ec2_modifications_by_user | stats count'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
inputs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.
known_false_positives: none
references: []
tags:
analytic_story:
- Unusual AWS EC2 Modifications
detections:
- EC2 Instance Modified With Previously Unseen User
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- userIdentity.arn
- errorCode
security_domain: network