Fix more errors with missing lookups, baselines, and detections

Author: pyth0n1c

baselines/deprecated/previously_seen_ec2_amis.yml

@@ -1,14 +1,14 @@
 name: Previously Seen EC2 AMIs
 id: bb1bd99d-1e93-45f1-9571-cfed42d372b9
-version: 1
-date: '2018-03-12'
+version: 2
+date: '2025-01-16'
 author: David Dorsey, Splunk
 type: Baseline
 description: This search builds a table of previously seen AMIs used to launch EC2
   instances
 search: '`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instancesSet.items{}.imageId
   as amiID | stats earliest(_time) as firstTime latest(_time) as lastTime by amiID
-  | outputlookup previously_seen_ec2_amis | stats count'
+  | outputlookup previously_seen_ec2_amis_baseline | stats count'
 how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
   and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
   inputs.

baselines/deprecated/previously_seen_ec2_instance_types.yml

@@ -1,13 +1,13 @@
 name: Previously Seen EC2 Instance Types
 id: b8f029f2-65a6-4d76-be98-dad1c9d59c45
-version: 1
-date: '2018-03-08'
+version: 2
+date: '2025-01-16'
 author: David Dorsey, Splunk
 type: Baseline
 description: This search builds a table of previously seen EC2 instance types
 search: '`cloudtrail` eventName=RunInstances errorCode=success | rename requestParameters.instanceType
   as instanceType | fillnull value="m1.small" instanceType | stats earliest(_time)
-  as earliest latest(_time) as latest by instanceType | outputlookup previously_seen_ec2_instance_types
+  as earliest latest(_time) as latest by instanceType | outputlookup previously_seen_ec2_instance_types_lookup
   | stats count'
 how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
   and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail

baselines/deprecated/previously_seen_ec2_launches_by_user.yml

@@ -1,14 +1,14 @@
 name: Previously Seen EC2 Launches By User
 id: 6c767ac0-0906-4355-9a83-927f5ee7bdad
-version: 1
-date: '2018-03-15'
+version: 2
+date: '2025-01-16'
 author: David Dorsey, Splunk
 type: Baseline
 description: This search builds a table of previously seen ARNs that have launched
   a EC2 instance.
 search: '`cloudtrail` eventName=RunInstances errorCode=success | rename userIdentity.arn
   as arn | stats earliest(_time) as firstTime latest(_time) as lastTime by arn | outputlookup
-  previously_seen_ec2_launches_by_user | stats count'
+  previously_seen_ec2_launches_by_user_lookup | stats count'
 how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
   and Splunk Add-on for AWS version (4.4.0 or later), then configure your CloudTrail
   inputs.

detections/deprecated/ec2_instance_started_with_previously_unseen_ami.yml

@@ -1,7 +1,7 @@
 name: EC2 Instance Started With Previously Unseen AMI
 id: 347ec301-601b-48b9-81aa-9ddf9c829dd3
-version: 4
-date: '2024-11-14'
+version: 5
+date: '2025-01-16'
 author: David Dorsey, Splunk
 status: deprecated
 type: Anomaly
@@ -12,8 +12,8 @@ data_source: []
 search: '`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances
   errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime
   by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId
-  as amiID | inputlookup append=t previously_seen_ec2_amis | stats min(firstTime)
-  as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis
+  as amiID | inputlookup append=t previously_seen_ec2_amis_lookup | stats min(firstTime)
+  as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis_lookup
   | eval newAMI=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`
   | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId
   | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType

detections/deprecated/ec2_instance_started_with_previously_unseen_instance_type.yml

@@ -1,7 +1,7 @@
 name: EC2 Instance Started With Previously Unseen Instance Type
 id: 65541c80-03c7-4e05-83c8-1dcd57a2e1ad
-version: 5
-date: '2024-11-14'
+version: 6
+date: '2025-01-16'
 author: David Dorsey, Splunk
 status: deprecated
 type: Anomaly
@@ -12,9 +12,9 @@ data_source: []
 search: '`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances
   errorCode=success | fillnull value="m1.small" requestParameters.instanceType | stats
   earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType
-  | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types
+  | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types_lookup
   | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup
-  previously_seen_ec2_instance_types | eval newType=if(earliest >= relative_time(now(),
+  previously_seen_ec2_instance_types_lookup | eval newType=if(earliest >= relative_time(now(),
   "-70m@m"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)`
   | where newType=1 | rename instanceType as requestParameters.instanceType | table
   requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType

detections/deprecated/ec2_instance_started_with_previously_unseen_user.yml

@@ -1,7 +1,7 @@
 name: EC2 Instance Started With Previously Unseen User
 id: 22773e84-bac0-4595-b086-20d3f735b4f1
-version: 5
-date: '2024-11-14'
+version: 6
+date: '2025-01-16'
 author: David Dorsey, Splunk
 status: deprecated
 type: Anomaly
@@ -11,9 +11,9 @@ description: This search looks for EC2 instances being created by users who have
 data_source: []
 search: '`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances
   errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime
-  by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user
+  by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user_lookup
   | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup
-  previously_seen_ec2_launches_by_user | eval newUser=if(firstTime >= relative_time(now(),
+  previously_seen_ec2_launches_by_user_lookup | eval newUser=if(firstTime >= relative_time(now(),
   "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType
   as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn

lookups/previously_seen_ec2_amis_lookup.yml

@@ -0,0 +1,12 @@
+name: previously_seen_ec2_amis_lookup
+date: 2025-01-16
+version: 2
+id: a0d24031-61b5-44b8-89f9-17f844415b8a
+author: Splunk Threat Research Team
+lookup_type: kvstore
+description: A place holder for a list of used Previously Seen EC2 AMIs
+fields: 
+- _key
+- firstTime
+- lastTime
+- amiID

lookups/previously_seen_ec2_instance_types_lookup.yml

@@ -0,0 +1,12 @@
+name: previously_seen_ec2_instance_types_lookup
+date: 2025-01-16
+version: 2
+id: 37507f63-27c5-488e-ba5b-cf38274997ff
+author: Splunk Threat Research Team
+lookup_type: kvstore
+description: A place holder for a list of used previously seen EC2 instance types. 
+fields: 
+- _key
+- earliest
+- latest
+- instanceType

lookups/previously_seen_ec2_launches_by_user_lookup.yml

@@ -0,0 +1,12 @@
+name: previously_seen_ec2_launches_by_user_lookup
+date: 2025-01-16
+version: 2
+id: a4a6d268-3c88-4996-b634-2edc33344a0a
+author: Splunk Threat Research Team
+lookup_type: kvstore
+description: A place holder for a list of previouslyt seen EC2 launches by user
+fields: 
+- _key
+- firstTime
+- lastTime
+- arn