Hi all,I have a bit of a challenge in building a detection, hoping someone has a good idea.
scenario
We have a couple of windows hosts in a dedicated aws account which should only be turned on temporary. I am looking to build a combination of cloudtrail and agent events
in a sequence to detect when the hosts are not turned off (keep running).The agent policy applied has:
- defend with all windows events ingested
- system
- windows
- osquery
Cloudtrail events are ingested using the Filebeat module.In theory this works:
sequence by cloud.account.id with maxspan=6h
[any where cloud.account.id:"aamyaccountid"] by host.name
![any where event.dataset:"aws.cloudtrail" and event.action:"StopInstances"] by aws.cloudtrail.flattened.request_parameters.instancesSet.items.instanceId
However the aws.cloudtrail.flattened.request_parameters.instancesSet.items.instanceId cannot be used because it's flattened.
This is also a list of values.From what I can tell AWS doesn't shutdown the os, but rather the VM so no windows shutdown events are logged.
Anyone a good idea?