Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

Purpose

An analyst wants to detect malicious behavior in requests to the content delivery network.  Using the CloudFront SQS collector to send request logs to Devo, the analyst will find DDoS attempts.  As a result, the analyst will scale web services, preventing them from failing.

Example tables

Table

Description

cloud.aws.cloudfront.web_1

CloudFront content delivery network activity

web.all.access

All web activity logs

Authorize It

  1. Authorize SQS Data Access.

  2. Add data to the S3 bucket.

    1. Update or create a CloudFront Distribution.

    2. Turn log delivery on.

    3. Enable cookie logging so that cookie poisoning attacks can be investigated.

    4. Select Amazon S3 as the delivery method.

    5. Enter the destination bucket created in Step 1.

    6. Devo requires that the default 33 fields be selected.

    7. Devo does not require partitioning.

    8. Select “Plain text” format.

    9. Select “\t” field delimiters.

      image-20250124-183754.png

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{
  "inputs": {
    "sqs_collector": {
      "id": "<FIVE_UNIQUE_DIGITS>",
      "services": {
        "aws_sqs_control_tower": {}
      },
      "credentials": {
              "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>",
              "aws_external_id": "<EXTERNAL_ID>"
      },
      "region": "<REGION>",
      "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>"
    }
  }
}

Secure It

CloudFront logs work with these Exchange Activeboards:

Devo provides compatible alert packs:

Access from unexpected location

/* 
Get a list of edge locations where CloudFront was accessed
to search for access from geographies that should not be using 
the application.
*/
from cloud.aws.cloudfront.web_1 group by x_edge_location

Malicious redirect created

/*
Get a list of redirects to check if a malicious person is
directing users to phishing.
*/
from cloud.aws.cloudfront.web_1 
where eq(x_edge_result_type,"Redirect"),
toktains(cs_uri_stem,"login")//redirect to phishing login page
group by cs_Host, cs_uri_stem

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

from cloud.aws.cloudfront.web_1 
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id.

  • No labels