Cloud Compute Instance Created By Previously Unseen User

name: Cloud Compute Instance Created By Previously Unseen User
id: 37a0ec8d-827e-4d6d-8025-cedf31f3a149
version: 10
date: '2026-03-10'
author: Rico Valdez, Splunk
status: production
type: Anomaly
description: The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.
data_source:
    - AWS CloudTrail
search: |-
    | tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest FROM datamodel=Change
      WHERE All_Changes.action=created
      BY All_Changes.user All_Changes.vendor_region
    | `drop_dm_object_name("All_Changes")`
    | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data
    | eventstats max(enough_data) as enough_data
    | where enough_data=1
    | eval firstTimeSeenUser=min(firstTimeSeen)
    | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h")
    | table firstTime, user, dest, count vendor_region
    | `security_content_ctime(firstTime)`
    | `cloud_compute_instance_created_by_previously_unseen_user_filter`
how_to_implement: You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users.
known_false_positives: It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.
references: []
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: User $user$ is creating a new instance $dest$ for the first time
    risk_objects:
        - field: dest
          type: system
          score: 20
        - field: user
          type: user
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Cloud Cryptomining
    asset_type: Cloud Compute Instance
    mitre_attack_id:
        - T1078.004
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
    manual_test: This search needs the baseline `Previously Seen Cloud Compute Creations By User` to be run first.
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail