Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

Version 1 Next »

Purpose

An analyst wants to detect <adjective> behavior in <data source>.  Using the <name> SQS collector to send <type> to Devo, the analyst will find <outcome>.  As a result, the analyst will <verb> the <entity>, preventing  them from <tactic>.

Example tables

Table

Description

cloud.aws.cloudfront.web_1

Content delivery network activity

Authorize It

  1. Authorize SQS Data Access.

  2. Add data to the S3 bucket.

    1. Update or create a CloudFront Distribution.

    2. Turn log delivery on.

    3. Enable cookie logging so that cookie poisoning attacks can be investigated.

    4. Select Amazon S3 as the delivery method.

    5. Enter the destination bucket created in Step 1.

    6. Devo requires that the default 33 fields be selected.

    7. Devo does not require partitioning.

    8. Select “Plain text” format.

    9. Select “\t” field delimiters.

      image-20250124-183754.png

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{
  "inputs": {
    "sqs_collector": {
      "id": "<FIVE_UNIQUE_DIGITS>",
      "services": {
        "aws_sqs_control_tower": {}
      },
      "credentials": {
              "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
              "aws_external_id": "<EXTERNAL_ID>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from cloud.aws.cloudfront.web_1 
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id.

  • No labels