Versions Compared

Version Old Version 3 New Version Current
Changes made by

Laszlo Frazer

Laszlo Frazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
typeflat
separatorbrackets
printabletrue

Purpose

An analyst wants to detect <adjective> malicious behavior in <data source>AWS.  Using the <name> CloudTrail SQS collector, the analyst will find <outcome>every management and data action taken by AWS principals.  As a result, the analyst will <verb> revoke the <entity>malicious principal’s role, preventing  them from <tactic>preventing them from disabling cloud services.

Example tables

Table

Description

cloud.aws.cloudtrail

Actions taken in all AWS resources enabled in CloudTrail.

Each AWS service has a fourth level table.

Authorize It

  1. Authorize SQS Data Access.

  2. Add data to the S3 bucket.

    1. If you have an AWS organization, create a trail for the organization. Otherwise, create a trail for an AWS account. “Quick create” is not recommended.

      image-20250115-154932.pngImage Removedimage-20250129-211200.pngImage Added

    2. Name the trail Devo.

      image-20250116-215451.pngImage Added

    3. Edit the trail.

    4. Use the existing bucket created in Step 1.

      image-20250129-211214.pngImage Added

    5. Disable SSE-KMS. If you require SSE-KMS, the key resource must be added to the cross account role you crated for Devo.

      image-20250116-220248.pngImage Added

    6. On the next screen, enable events.

      1. Management events are supported by Devo and recommended for detection of unauthorized changes to AWS resources.

      2. Data events are supported by Devo and recommended for detection of unauthorized access or modification of resources, including S3 data (cloud.aws.cloudtrail.s3) and SNS notifications (cloud.aws.cloudtrail.sns).

      3. Insights events are supported by Devo and are recommended for detecting malicious API activity and API service degradation problems (cloud.aws.cloudtrail.insights).

        image-20250116-223323.pngImage Added

    7. Create the trail.

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

Code Block
{
  "inputs": {
    "servicessqs_collector": {
      "id": "<SERVICE_NAME><FIVE_UNIQUE_DIGITS>",
      "services": {}
    },     "sqs<SERVICE_collectorNAME>": {}
      "id": "12345"},
      "credentials": {
              "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
              "aws_external_id": "<EXTERNAL_ID>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

Combine the CloudTrail service with the GuardDuty service to get threat intelligence from AWS.

The data is in the cloud.aws.cloudtrail.* tables. The fourth level of the tag is the AWS service.

Devo Exchange has a comprehensive content pack which will help you use CloudTrail to secure AWS.

S3 Storage

Code Block
//Investigating unauthorized deletion
//Determine number of resources deleted by each host
//A host with an unusual number of deletions may be compromised
from cloud.aws.cloudtrail.s3
  where eventName = "DeleteObject"
  group by requestParameters_Host
  select collectdistinct(jqeval(jqcompile(".[0].ARN"),resources)) as resources,
  length(resources) as number_deleted

image-20250117-184048.pngImage Added

IAM Access

Code Block
/*
A compromised Kubernetes principal has been taking action in 
AWS Identity and Access Management.  Get a list of the actions taken.
*/

from cloud.aws.cloudtrail.iam
  where userIdentity_principalId = "EXAMPLE:EKS"
  group by eventName

...

KMS Cryptography

Code Block
/* 
Check for unauthorized principals that have used decryption.  
Determine their identity types and if they have used a root identity.
*/

from cloud.aws.cloudtrail.kms
  where eventName = "Decrypt"
  group by userIdentity_principalId
  select collectdistinct(userIdentity_type) as userIdentity_types,
  `in`("Root",userIdentity_types) as is_root

...

EC2 Compute

Code Block
/*
Yesterday, some compute principals were 
removed without authorization.  Determine which
compute principals stopped generating logs,
so they can be investigated to see if they were attacked.
*/

from cloud.aws.cloudtrail.ec2
group by userIdentity_principalId

select last(eventdate) as last_seen
where today()-1d<last_seen<today()

...

CloudTrail

Code Block
/*
A malicious user has disabled CloudTrail 
to hide their subsequent activity.
Identify the user.
*/

from cloud.aws.cloudtrail.cloudtrail
  where eventName = "StopLogging"

...

Monitor It

Create an inactivity alertto detect interruptions of transfer of data from the source to the SQS queue using the query

...