splApache-2.0from splunk/security_content

Cloud Provisioning Activity From Previously Unseen Region

The following analytic detects cloud provisioning activities originating from previously unseen regions. It leverages cloud infrastructure logs to identify events where resources are started or created, and cross-references these with a baseline of known regions. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from unfamiliar locations. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.

Quality

FP risk

—

Forks

Views

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.