← Back to Explore
splunk_escuAnomaly
Cloud Compute Instance Created With Previously Unseen Instance Type
The following analytic detects the creation of EC2 instances with previously unseen instance types. It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded. This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes. If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.
MITRE ATT&CK
Detection Query
| tstats count earliest(_time) as firstTime
latest(_time) as lastTime
values(All_Changes.object_id) as dest
FROM datamodel=Change WHERE
All_Changes.action=created
BY All_Changes.Instance_Changes.instance_type All_Changes.user
| `drop_dm_object_name("All_Changes")`
| `drop_dm_object_name("Instance_Changes")`
| where instance_type != "unknown"
| lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenInstanceType=min(firstTimeSeen)
| where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h")
| table firstTime, user, dest, count, instance_type
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`Author
David Dorsey, Splunk
Created
2026-03-25
Data Sources
AWS CloudTrail
Tags
Cloud Cryptomining
Raw Content
name: Cloud Compute Instance Created With Previously Unseen Instance Type
id: c6ddbf53-9715-49f3-bb4c-fb2e8a309cda
version: 9
date: '2026-03-25'
author: David Dorsey, Splunk
status: production
type: Anomaly
description: |-
The following analytic detects the creation of EC2 instances with previously unseen instance types.
It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded.
This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes.
If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.
data_source:
- AWS CloudTrail
search: |-
| tstats count earliest(_time) as firstTime
latest(_time) as lastTime
values(All_Changes.object_id) as dest
FROM datamodel=Change WHERE
All_Changes.action=created
BY All_Changes.Instance_Changes.instance_type All_Changes.user
| `drop_dm_object_name("All_Changes")`
| `drop_dm_object_name("Instance_Changes")`
| where instance_type != "unknown"
| lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenInstanceType=min(firstTimeSeen)
| where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h")
| table firstTime, user, dest, count, instance_type
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`
how_to_implement: |-
You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.
known_false_positives: |-
It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.
references: []
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: User $user$ is creating an instance $dest$ with an instance type $instance_type$ that has not been previously seen.
risk_objects:
- field: dest
type: system
score: 20
- field: user
type: user
score: 20
threat_objects: []
tags:
analytic_story:
- Cloud Cryptomining
asset_type: Cloud Compute Instance
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: threat
mitre_attack_id:
- T1578.002
manual_test: This search needs the baseline `Previously Seen Cloud Compute Instance Types - Initial` to be run first.
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail