DS0030 Instance
A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers12
| Item | Value |
|---|---|
| ID | DS0030 |
| Platforms | IaaS |
| Collection Layers | Cloud Control Plane |
| Version | 1.0 |
| Created | 20 October 2021 |
| Last Modified | 20 October 2021 |
Data Components
Instance Creation
Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1578 | Modify Cloud Compute Infrastructure |
| enterprise | T1578.002 | Create Cloud Instance |
| enterprise | T1535 | Unused/Unsupported Cloud Regions |
| enterprise | T1204 | User Execution |
| enterprise | T1204.003 | Malicious Image |
Instance Deletion
Removal of an instance (ex: instance.delete within GCP Audit Logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1485 | Data Destruction |
| enterprise | T1578 | Modify Cloud Compute Infrastructure |
| enterprise | T1578.003 | Delete Cloud Instance |
Instance Enumeration
An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1580 | Cloud Infrastructure Discovery |
Instance Metadata
Contextual data about an instance and activity around it such as name, type, or status
| Domain | ID | Name |
|---|---|---|
| enterprise | T1578 | Modify Cloud Compute Infrastructure |
| enterprise | T1578.002 | Create Cloud Instance |
| enterprise | T1578.003 | Delete Cloud Instance |
| enterprise | T1578.004 | Revert Cloud Instance |
| enterprise | T1535 | Unused/Unsupported Cloud Regions |
Instance Modification
Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1578 | Modify Cloud Compute Infrastructure |
| enterprise | T1578.004 | Revert Cloud Instance |
Instance Start
Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1578 | Modify Cloud Compute Infrastructure |
| enterprise | T1578.004 | Revert Cloud Instance |
| enterprise | T1204 | User Execution |
| enterprise | T1204.003 | Malicious Image |
Instance Stop
Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1578 | Modify Cloud Compute Infrastructure |
| enterprise | T1578.004 | Revert Cloud Instance |
References
-
Microsoft. (n.d.). What is a virtual machine (VM)?. Retrieved October 13, 2021. ↩
-
Google. (n.d.). Virtual machine instances. Retrieved October 13, 2021. ↩
-
Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. Retrieved June 17, 2020. ↩
-
Microsoft. (n.d.). View Azure activity logs. Retrieved June 17, 2020. ↩