Cloud Compute Instance Created In Previously Unused Region

Status: production
Severity: low
Group by: All_Changes.user, All_Changes.vendor_region
Author: David Dorsey, Splunk
Source: github.com/splunk/security_content

The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.

MITRE ATT&CK coverage

Tactic	Techniques
Stealth	`T1535` Unused/Unsupported Cloud Regions

Rule body splunk

name: Cloud Compute Instance Created In Previously Unused Region
id: fa4089e2-50e3-40f7-8469-d2cc1564ca59
version: 10
creation_date: '2020-11-30'
modification_date: '2026-05-13'
author: David Dorsey, Splunk
status: production
type: Anomaly
description: The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.
data_source:
    - AWS CloudTrail
search: |-
    | tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count FROM datamodel=Change
      WHERE All_Changes.action=created
      BY All_Changes.vendor_region, All_Changes.user
    | `drop_dm_object_name("All_Changes")`
    | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data
    | eventstats max(enough_data) as enough_data
    | where enough_data=1
    | eval firstTimeSeenRegion=min(firstTimeSeen)
    | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h")
    | table firstTime, user, dest, count , vendor_region
    | `security_content_ctime(firstTime)`
    | `cloud_compute_instance_created_in_previously_unused_region_filter`
how_to_implement: You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.
known_false_positives: It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.
references: []
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: User $user$ is creating an instance $dest$ in a new region for the first time
        - field: user
          type: user
          score: 20
          message: User $user$ is creating an instance $dest$ in a new region for the first time
analytic_story:
    - Cloud Cryptomining
asset_type: Cloud Compute Instance
mitre_attack_id:
    - T1535
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: threat
baselines:
    - Previously Seen Cloud Regions - Update
    - Previously Seen Cloud Regions - Initial
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail
      description: PORTED MANUAL TEST - This search needs the baseline `Previously Seen Cloud Regions - Update` to be run first.
      test_type: experimental

Stages and Predicates

Stage 1: `tstats`

| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count FROM datamodel=Change
  WHERE All_Changes.action=created
  BY All_Changes.vendor_region, All_Changes.user

Stage 2: `search`

| `drop_dm_object_name("All_Changes")`

Stage 3: `lookup`

| lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data

Lookup table: previously_seen_cloud_regions
Key field: vendor_region
Output columns: ['firstTimeSeen', 'firstTimeSeen'], ['enough_data', 'enough_data']

Stage 4: `eventstats`

| eventstats max(enough_data) as enough_data

Stage 5: `where`

| where enough_data=1

Stage 6: `eval`

| eval firstTimeSeenRegion=min(firstTimeSeen)

Stage 7: `where`

| where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h")

Stage 8: `table`

| table firstTime, user, dest, count , vendor_region

Stage 9: `search`

| `security_content_ctime(firstTime)`

Stage 10: `search`

| `cloud_compute_instance_created_in_previously_unused_region_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`All_Changes.action`	eq	`created`
`enough_data`	eq	`1`
`firstTimeSeenRegion`	is_null	(no value, null check)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Cloud Compute Instance Created In Previously Unused Region

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `lookup`

Stage 4: `eventstats`

Stage 5: `where`

Stage 6: `eval`

Stage 7: `where`

Stage 8: `table`

Stage 9: `search`

Stage 10: `search`

Indicators

Keyboard shortcuts

Search operators

Cloud Compute Instance Created In Previously Unused Region

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: lookup

Stage 4: eventstats

Stage 5: where

Stage 6: eval

Stage 7: where

Stage 8: table

Stage 9: search

Stage 10: search

Indicators

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `lookup`

Stage 4: `eventstats`

Stage 5: `where`

Stage 6: `eval`

Stage 7: `where`

Stage 8: `table`

Stage 9: `search`

Stage 10: `search`