EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

Cloud Compute Instance Created In Previously Unused Region

The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.

Detection Query

| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count FROM datamodel=Change
  WHERE All_Changes.action=created
  BY All_Changes.vendor_region, All_Changes.user
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenRegion=min(firstTimeSeen)
| where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h")
| table firstTime, user, dest, count , vendor_region
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_in_previously_unused_region_filter`

Author

David Dorsey, Splunk

Data Sources

AWS CloudTrail
Raw Content
name: Cloud Compute Instance Created In Previously Unused Region
id: fa4089e2-50e3-40f7-8469-d2cc1564ca59
version: 10
creation_date: '2020-11-30'
modification_date: '2026-05-13'
author: David Dorsey, Splunk
status: production
type: Anomaly
description: The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.
data_source:
    - AWS CloudTrail
search: |-
    | tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count FROM datamodel=Change
      WHERE All_Changes.action=created
      BY All_Changes.vendor_region, All_Changes.user
    | `drop_dm_object_name("All_Changes")`
    | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data
    | eventstats max(enough_data) as enough_data
    | where enough_data=1
    | eval firstTimeSeenRegion=min(firstTimeSeen)
    | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h")
    | table firstTime, user, dest, count , vendor_region
    | `security_content_ctime(firstTime)`
    | `cloud_compute_instance_created_in_previously_unused_region_filter`
how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.
known_false_positives: It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.
references: []
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: User $user$ is creating an instance $dest$ in a new region for the first time
        - field: user
          type: user
          score: 20
          message: User $user$ is creating an instance $dest$ in a new region for the first time
analytic_story:
    - Cloud Cryptomining
asset_type: Cloud Compute Instance
mitre_attack_id:
    - T1535
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: threat
baselines:
    - Previously Seen Cloud Regions - Update
    - Previously Seen Cloud Regions - Initial
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail
      description: PORTED MANUAL TEST - This search needs the baseline `Previously Seen Cloud Regions - Update` to be run first.
      test_type: experimental