Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

Purpose

An analyst wants to detect <adjective> behavior in <data source>.  Using the <name> SQS collector, the analyst will find <outcome>.  As a result, the analyst will <verb> the <entity>, preventing  them from <tactic>.

Authorize It

  1. Authorize SQS Data Access.

  2. Add data to the S3 bucket.

    1. If you have an AWS organization, create a trail for the organization. Otherwise, create a trail for an AWS account.

      image-20250115-154932.png

    2. Name the trail Devo.

    3. Use the existing bucket created in Step 1.

    4. Disable SSE-KMS. If you require SSE-KMS, the key resource must be added to the cross account role you crated for Devo.

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{
  "global_overrides": {
    "debug": false
  },
  "inputs": {
    "services": {
      "SERVICE_NAME": {}
    },
    "sqs_collector": {
      "id": "12345",
      "enabled": true,
      "credentials": {
        "aws_base_account_role": "arn:aws:iam::837131528613:role/devo-xaccount-cs-role",
        "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from TABLE 
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id.

  • No labels