Versions Compared

Version Old Version 1 New Version 2
Changes made by

Laszlo Frazer

Laszlo Frazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An analyst wants to detect <adjective> malicious behavior in <data source>requests to the content delivery network.  Using the <name> CloudFront SQS collector to send <type> request logs to Devo, the analyst will find <outcome>DDoS attempts.  As a result, the analyst will <verb> the <entity>, preventing  them from <tactic>scale web services, preventing them from failing.

Example tables

Table

Description

cloud.aws.cloudfront.web_1

Content CloudFront content delivery network activity

web.all.access

All web activity logs

Authorize It

  1. Authorize SQS Data Access.

  2. Add data to the S3 bucket.

    1. Update or create a CloudFront Distribution.

    2. Turn log delivery on.

    3. Enable cookie logging so that cookie poisoning attacks can be investigated.

    4. Select Amazon S3 as the delivery method.

    5. Enter the destination bucket created in Step 1.

    6. Devo requires that the default 33 fields be selected.

    7. Devo does not require partitioning.

    8. Select “Plain text” format.

    9. Select “\t” field delimiters.

      image-20250124-183754.png

...

Code Block
{
  "inputs": {
    "sqs_collector": {
      "id": "<FIVE_UNIQUE_DIGITS>",
      "services": {
        "aws_sqs_control_tower": {}
      },
      "credentials": {
              "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
              "aws_external_id": "<EXTERNAL_ID>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

CloudFront logs work with these Exchange Activeboards:

Devo provides compatible alert packs:

Access from unexpected location

Code Block
/* 
Get a list of edge locations where CloudFront was accessed
to search for access from geographies that should not be using 
the application.
*/
from cloud.aws.cloudfront.web_1 group by x_edge_location

Malicious redirect created

Code Block
/*
Get a list of redirects to check if a malicious person is
directing users to phishing.
*/
from cloud.aws.cloudfront.web_1 
where eq(x_edge_result_type,"Redirect"),
toktains(cs_uri_stem,"login")//redirect to phishing login page
group by cs_Host, cs_uri_stem

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

...