EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Cloud Compute Instance Created With Previously Unseen Image

The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats.

Detection Query

| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest FROM datamodel=Change
  WHERE All_Changes.action=created
  BY All_Changes.Instance_Changes.image_id, All_Changes.user
| `drop_dm_object_name("All_Changes")`
| `drop_dm_object_name("Instance_Changes")`
| where image_id != "unknown"
| lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenImage=min(firstTimeSeen)
| where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h")
| table firstTime, user, image_id, count, dest
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_with_previously_unseen_image_filter`

Author

David Dorsey, Splunk

Created

2026-03-10

Data Sources

AWS CloudTrail

Tags

Cloud Cryptomining
Raw Content
name: Cloud Compute Instance Created With Previously Unseen Image
id: bc24922d-987c-4645-b288-f8c73ec194c4
version: 8
date: '2026-03-10'
author: David Dorsey, Splunk
status: production
type: Anomaly
description: The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats.
data_source:
    - AWS CloudTrail
search: |-
    | tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest FROM datamodel=Change
      WHERE All_Changes.action=created
      BY All_Changes.Instance_Changes.image_id, All_Changes.user
    | `drop_dm_object_name("All_Changes")`
    | `drop_dm_object_name("Instance_Changes")`
    | where image_id != "unknown"
    | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data
    | eventstats max(enough_data) as enough_data
    | where enough_data=1
    | eval firstTimeSeenImage=min(firstTimeSeen)
    | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h")
    | table firstTime, user, image_id, count, dest
    | `security_content_ctime(firstTime)`
    | `cloud_compute_instance_created_with_previously_unseen_image_filter`
how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro.
known_false_positives: After a new image is created, the first systems created with that image will cause this alert to fire.  Verify that the image being used was created by a legitimate user.
references: []
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: User $user$ is creating an instance $dest$ with an image that has not been previously seen.
    risk_objects:
        - field: dest
          type: system
          score: 20
        - field: user
          type: user
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Cloud Cryptomining
    asset_type: Cloud Compute Instance
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
    manual_test: This search needs the baseline `Previously Seen Cloud Compute Images - Initial` to be run first.
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail