Purpose
An analyst wants to detect <adjective> behavior in <data source>. Using the <name> SQS collector, the analyst will find <outcome>. As a result, the analyst will <verb> the <entity>, preventing them from <tactic>.
Authorize It
Authorize SQS Data Access.
If you have an AWS organization, create a trail for the organization. Otherwise, create a trail for an AWS account. “Quick create” is not recommended.
Name the trail
Devo.
Edit the trail.
Use the existing bucket created in Step 1.
Disable SSE-KMS. If you require SSE-KMS, the key resource must be added to the cross account role you crated for Devo.
On the next screen, enable events.
Management events are supported by Devo and recommended for detection of unauthorized changes to AWS resources.
Data events are supported by Devo and recommended for detection of unauthorized access or modification of resources, including S3 data (cloud.aws.cloudtrail.s3) and SNS notifications (cloud.aws.cloudtrail.sns).
Insights events are supported by Devo and are recommended for detecting malicious API activity and API service degradation problems (cloud.aws.cloudtrail.insights).
Create the trail.
Run It
In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.
{
"inputs": {
"sqs_collector": {
"id": "<FIVE_UNIQUE_DIGITS>",
"services": {
"<SERVICE_NAME>": {}
},
"credentials": {
"aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
"aws_external_id": "<EXTERNAL_ID>"
},
"region": "<REGION>",
"base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
}
}
}
Secure It
Monitor It
Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query
from TABLE where toktains(hostchain,"collector-") select split(hostchain,"-",1) as collector_id
Set the inactivity alert to keep track of the collector_id.