Connections from a new IP to a subnet, say prod-customer-data subnet, which is in-scope (e.g. GDPR, PCI, or other).
New IP is any src IP address first-time seen in the last 24 hours.
Default lookback window is 60 days.
Category: Network Activity
Use Cases: Audit, Detect, Respond
Data Sources: VPC Flow Logs
| BigQuery | Chronicle | Log Analytics |
|---|---|---|
| SQL | Contribute rule | Contribute query |
No event generation steps provided. Contribute emulation test to this use case.
No log samples provided. Contribute log samples to this use case.