Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 6 Next »

Purpose

An analyst wants to detect malicious network traffic in web applications.  Using the WAF ACL SQS collector to send firewall logs to Devo, the analyst will find malicious IP activity.  As a result, the analyst will use Access Control Lists to block the traffic, preventing attackers from cross-site scripting.

Devo recommends also logging AWS WAF actions using the CloudTrail SQS Collector.

Example tables

Table

Description

cloud.aws.waf.logs

Access Control List Traffic

Authorize It

  1. Authorize SQS Data Access.

    1. For this service, the bucket name must start with aws-waf-logs-.

  2. Add data to the S3 bucket.

    1. In WAF, select a Web ACL.

      image-20250122-214521.png

    2. Select “Logging” and “Enable.”

      image-20250122-214743.png

    3. Set the destination to the S3 bucket previously authorized.

      image-20250122-220107.png

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{
  "inputs": {
    "sqs_collector": {
      "id": "<FIVE_UNIQUE_DIGITS>",
      "services": {
        "<SERVICE_NAME>": {}
      },
      "credentials": {
              "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
              "aws_external_id": "<EXTERNAL_ID>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

IP Evading Reputation Block List

/*
It has been determined that a particular IP is malicious.
Check if the IP has contacted the firewall,
if it was allowed, if it was on Amazon's reputation list, 
and which terinating rules blocked the IP.

If the reputation list did not terminate the request, then the rules 
need improvement.
*/

from cloud.aws.waf.logs 
where eq(httpRequest_clientIp,233.252.0.0)//example IP
group by action, 
eq(terminatingRuleId,"AWS-AWSManagedRulesAmazonIpReputationList") as on_reputation_list
select collectdistinct(ruleGroupList_terminatingRule_ruleId_str) as terminating_rules

Malicious WAF Rule Created

/*
A malicious user has gained access to WAF configuration.
The user has created a rule which has blocked critical traffic.
Identify new rules which are blocking lots of traffic so they can be removed.
*/
from cloud.aws.waf.logs 
where eq(action,"BLOCK")
group by terminatingRuleId
select count() as requests_blocked,
first(eventdate) as rule_started 
where rule_started>today()-7d //recently created rule

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from cloud.aws.waf.logs
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id.

If protection of a particular URI is very important, it can be monitored individually for inactivity.

from cloud.aws.waf.logs 
//An alert is required if logging of requests to this important API stop.
where startswith(httpRequest_uri,"/api/")
  • No labels