Global Intelligence for AWS CloudTrail SecOps
The Global Intelligence for AWS CloudTrail App enables you to detect potentially malicious configuration changes in your AWS account by comparing AWS CloudTrail events in your account against a cohort of AWS customers. CloudTrail events are curated from AWS penetration tests and operational best practices.
This application name is abbreviated to GI CloudTrail on these documentation pages, as well as in the application pages.
The App dashboard displays enable you to determine the following:
- How your attack surface compares to your peers
- MITRE Attack Framework tactics that are evident in your organization compared to your peers. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
- Resources that are impacted
- An action plan to improve security posture in your AWS infrastructure
The current scope of this application includes the following AWS services and associated resource types:
- Amazon EC2: count of compute instances, security groups, route tables and Amazon Machine Images
- Amazon S3: count of buckets
- Amazon RDS: count of database instances, DB security groups
- Amazon Redshift: count of database clusters and parameter groups
- AWS Lambda: count of function names
- AWS IAM: count of IAM users, roles and groups
- AWS CloudTrail: counts of trail instances
Prerequisites
This feature is available in the following account plans.
| Account Type | Account level |
|---|---|
| Cloud Flex | Trial, Enterprise |
| Cloud Flex Credits | Trial, Enterprise Suite, Enterprise Security |
Log types
Global Intelligence for AWS CloudTrail App uses AWS CloudTrail logs.
When this app is initially installed, the dashboards appear with empty panels until scheduled searches are run and the indices are populated.
Important Notes
This application relies on 45 Scheduled Searches that Save to two different Indexes and one Lookup Table. As a result, they will consume the related quotas for your account.
View the list of Scheduled Searches (click to expand)
| Folder | Scheduled Search Name (prefixed with gis_benchmarks) | Description |
| Attack Surface Queries | Attack Surface: Create,Delete,Update | A total number of create, update and delete eventNames during a time period. This represents the velocity dimension for cohorting. |
| Attack Surface Queries | Attack Surface: EC2,Redshift,S3 | A total number of EC2, Redshift, and S3 resources during a time period. This represents the volume dimension for cohorting. |
| Attack Surface Queries | Attack Surface: IAM,KMS,Lambda,RDS | A total number of IAM, KMS, Lambda, and RDS resources during a time period. This represents the volume dimension for cohorting. |
| Attack Surface Queries | Attack Surface: Service | A total number of distinct AWS services in use during a time period. This represents the variety dimension for cohorting. |
| Event Priority Computation Query | Event_Priority_Computation | Compute event priority and saves to a file called "/shared/CloudTrailGIS/EventPriority". |
| Event Resource Count Queries | CloudTrail_DisableEvents,EncryptWithNewKey_CountEventResources | Counts the number of trails affected by signals related to disabling trails or encrypting them with a new key. |
| Event Resource Count Queries | EC2_AuthorizeSecurityGroupIngressToPublic_CountEventResources | Counts the number of EC2 security groups affected by signals related to allowing public ingress. |
| Event Resource Count Queries | EC2_DescribeInstanceUserData_CountEventResources | Counts the number of EC2 instances affected by signals describing EC2 instance metadata. |
| Event Resource Count Queries | EC2_DisableTerminationProtectionOrListInstances_CountEventResources | Counts the number of EC2 instances affected by signals describing EC2 instances or disabling Termination Protection. |
| Event Resource Count Queries | EC2_ListSecurityGroups_ListImage_CountEventResources | Counts the number of resources affected by signals describing EC2 security groups or describing AMIs. |
| Event Resource Count Queries | EC2_TrafficMirroringOrDescribeRouteTables_CountEventResources | Counts the number of resources affected by signals describing route tables or traffic mirroring. |
| Event Resource Count Queries | IAM_AddUserToGroup,CompromisedUserOrKeys_CountEventResources | Counts the number of IAM resources affected by signals related to compromised credentials or group membership changes. |
| Event Resource Count Queries | IAM_AttachPutRoleOrGroupOrUserPolicy_CountEventResources | Counts the number of IAM resources affected by signals related to IAM policy assignment. |
| Event Resource Count Queries | IAM_ConsoleLoginsOrNoMfa_CountEventResources | Count of IAM resources affected by console logins with and without multi-factor authentication. |
| Event Resource Count Queries | IAM_CreateUpdatePolicy_CountEventResources | Counts the number of IAM resources affected by signals related to IAM policy changes. |
| Event Resource Count Queries | IAM_TooManyAccessDenied_CountEventResources | Counts IAM resources affected by access denied errors. |
| Event Resource Count Queries | IAM_UpdateAssumeRolePolicy_CountEventResources | Counts IAM resources affected by IAM Assume Role policy changes. |
| Event Resource Count Queries | Lambda_ExcessPermissions_CountEventResources | Counts Lambda resources related to privileged use of functions. |
| Event Resource Count Queries | Lambda_InteractWithIam_CountEventResources | Counts Lambda resources that interact with IAM for any reason. |
| Event Resource Count Queries | RDS_ModifySecurityGroup_CountEventResources | Counts RDS resources affected by security group changes. |
| Event Resource Count Queries | RDS_ModifyingAdminPwd,RestoreFromBackup_CountEventResources | Counts RDS resources affected by modifying admin password or restores from backup. |
| Event Resource Count Queries | Redshift_DisableEncryption,DisableAccessLogging_CountEventResources | Counts Redshift resources affected by disabling encryption or Access Logging signals. |
| Event Resource Count Queries | Redshift_DisableSSL_CountEventResources | Counts Redshift resources affected by disabling SSL. |
| Event Resource Count Queries | S3_AccessDeniedOrBucketConfigChecksFromPublicIp_CountEventResources | Counts S3 buckets affected by access denied errors or configuration checks from public IP addresses. |
| Event Resource Count Queries | S3_CrudBucketsFromPublicIp_CountEventResources | Counts S3 buckets affected by Create, Update or Delete actions from public IP addresses. |
| Event Resource Count Queries | S3_DisableMfaDeleteOrBucketVersionioningOrAccessLogging_CountEventResources | Counts S3 buckets affected by disabling MFA delete, bucket versioning or access logging. |
| Event Resource Count Queries | S3_EnablePublicAccess_CountEventResources | Counts S3 buckets affected by public ingress risk. |
| Notable Event Count Queries | Aggregate_Event_Count_to_Main_Index | Merge results of many scheduled searches into a single index. |
| Notable Event Count Queries | CloudTrail_DisableGlobalEventsOrDisableLogOrEncryptWithNewKey | Counts the number of events related to disabling trail configurations or encrypting them with a new key. |
| Notable Event Count Queries | CloudTrail_DisableTrails | Counts the number of events related to disabling trails. |
| Notable Event Count Queries | EC2_DescribeInstanceUserData | Counts the number of events related to describing EC2 instance metadata. |
| Notable Event Count Queries | EC2_Events | Counts events related to DisableTerminationProtection, DescribeRouteTables, AuthorizeSecurityGroupIngressToPublic, ListAMIs, ListInstances, ListSecurityGroups, TrafficMirroring. |
| Notable Event Count Queries | IAM_ConsoleLoginsNoMfa | Count of console logins without multi-factor authentication. |
| Notable Event Count Queries | IAM_Events | Counts IAM events related to AttachPutUserPolicy, AttachPutRolePolicy, AttachPutGroupPolicy, AddUserToGroup, CompromisedUserOrKeys, CreateUpdatePolicy, ConsoleLoginFailureWithHiddenResponse, ConsoleLoginsTotal, UpdateAssumeRolePolicy. |
| Notable Event Count Queries | IAM_TooManyAccessDenied | Counts IAM events related to access denied errors. |
| Notable Event Count Queries | Lambda_ExcessPermissionsOrInteractWithIam | Counts Lambda events related to any IAM interaction or privileged use of functions |
| Notable Event Count Queries | RDS_ModifyingAdminPassword | Counts events related to change of admin passwords for RDS resources. |
| Notable Event Count Queries | RDS_RestoreFromBackupOrModifySecGroup | Counts events related to restore from backup or security group changes. |
| Notable Event Count Queries | Redshift_DisableEncryption | Counts Redshift events related to disabling encryption. |
| Notable Event Count Queries | Redshift_DisableSSLOrDisableAccesslogging | Counts Redshift events related to disabling encryption or SSL. |
| Notable Event Count Queries | S3_AccessDeniedOrBucketConfigChecksFromPublicIp | Counts S3 events related to access denied errors or configuration checks from public IP addresses. |
| Notable Event Count Queries | S3_CrudBucketsFromPublicIp_CountEventResources | Counts S3 events related to Create, Update or Delete actions from public IP addresses. |
| Notable Event Count Queries | S3_DisableMfaDeleteOrBucketVersionioningOrAccessLogging | Counts S3 events related to disabling MFA delete, bucket versioning or access logging. |
| Notable Event Count Queries | S3_EnablePublicAccess | Counts S3 events related to enabling public ingress. |
| Notable Event Count Queries | S3_ListBuckets | Counts S3 events related to listing buckets. |
- To reduce false positives, the benchmarks and application filter out AWS CloudTrail events from legitimate cloud services including AWS itself and CloudHealth by VMware.
- Security posture requirements may vary between AWS accounts for a given customer. For example, development accounts might have less strict controls than production accounts. The app supports filtering findings by AWS account ID to facilitate AWS account level posture assessment.
- The benchmarking models use cohorts calculated from similar AWS accounts.
- This app relies on scheduled searches that save to an index in order to update AWS CloudTrail events periodically. When you first install the app, these searches will take 24 hours to accumulate sufficient data for meaningful comparisons over a 24-hour duration. As a result, it is important that you wait for at least 24 hours after the app installation before using the insights from the app dashboards.
- Initially, when the app is installed, the dashboards will have empty panels until the scheduled searches have run and the indices are populated.
- Scheduled searches are prefixed with "gis_benchmarks" to allow users to isolate these searches in the Data Volume Index.
- If multiple AWS accounts are referenced in the AWS CloudTrail data, the graphs will show values for each benchmark and AWS account combination. To optimize experience, select one AWS Account ID in the application dropdown.
- Do not modify the 24-hour time range in the dashboards as the benchmark data and comparisons are based on a prior 24-hour comparison only.
- Do not modify the schedule and time range of the scheduled searches.
- Do not modify the lookups in the dashboard search queries.
- The panel “Summary of Notable Events and Recommended Actions” on the dashboard “04 Action Plan” will not work until the scheduled search “Event Priority computation” populates the required lookup.
- The "infer" operator is not intended for direct customer use - modifying the queries will result in unexpected/incorrect results.
- For links to the CloudTrail events in the Action Plan dashboard watchlists to work, please make sure to set your Sumo Logic Region Code by clicking on the dashboard filter icon.
- The
inferoperator is not intended for use outside of Sumo Logic Global Intelligence apps. - Install the Sumo Logic Audit app to monitor the health of scheduled searches. The following two dashboards of the Audit app will help look into details for scheduled searches:
Sample log messages
{
"eventVersion":"1.05",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDAJK3NPEULWEXAMPLE",
"arn":"arn:aws:iam::224064EXAMPLE:user/username",
"accountId":"2240example0808",
"userName":"Pamelia@example.com"
},
"eventTime":"2020-01-11 00:42:12+0000",
"eventSource":"signin.amazonaws.com",
"eventName":"ConsoleLogin",
"awsRegion":"us-example",
"sourceIPAddress":"10.10.10.10",
"userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
"requestParameters":null,
"responseElements":{
"ConsoleLogin":"Success"
},
"additionalEventData":{
"LoginTo":"https://us-example.console.aws.amazon...sauthcode=true",
"MobileVersion":"No",
"MFAUsed":"Yes"
},
"eventID":"8fd88195-8576-example-8330cb492604",
"eventType":"AwsConsoleSignIn",
"recipientAccountId":"22406424example0808"
}
Sample queries
The following sample query is from the Unique AWS Resource Types panel of Dashboard 01: Attack Surface Benchmark.
_sourceCategory=Labs/AWS/CloudTrail/Analytics
| json "eventSource", "errorCode" nodrop
| where isBlank(errorCode)
| count_distinct(eventSource) as count
| "ResourcesCount_Service" as benchmarkname
| fillmissing values("ResourcesCount_Service") in benchmarkname
| toInt(count) as count
| infer _category=cloudtrail _model=benchmark
| first(count) as MyCompany, first(lower_limit) as cohort_low, first(median) as cohort_median, first(upper_limit) as cohort_high by benchmarkname
In some cases, your query results may show "HIDDEN_DUE_TO_SECURITY_REASONS" as the value of the userName field. That's because AWS does not log the user name that was entered when a sign-in failure is caused by an incorrect user name.
Collecting Logs for the GI for AWS CloudTrail SecOps App
This section provides an overview of the log collection process and instructions for configuring log collection for the Sumo Logic App for Gl CloudTrail.
If you have already AWS CloudTrail logs flowing into Sumo Logic, you can skip the steps in this section and install the app.
The following illustration is a graphical representation of the process for collecting logs from AWS CloudTrail and delivering them to Sumo Logic.
Configuring Log Collection
To configure log collection for Global Intelligence for AWS CloudTrail, follow the steps described here.
Installing the GI for AWS CloudTrail SecOps App
To install the app:
- From the Sumo Logic navigation, select App Catalog.
- In the Search Apps field, search for and then select your app.
- Optionally, you can scroll down to preview the dashboards included with the app. Then, click Install App (sometimes this button says Add Integration).
note
If your app has multiple versions, you'll need to select the version of the service you're using before installation.
- On the next configuration page, under Select Data Source for your App, complete the following fields:
- Data Source. Select one of the following options:
- Choose Source Category and select a source category from the list; or
- Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. For example,
_sourceCategory=MyCategory.
- Folder Name. You can retain the existing name or enter a custom name of your choice for the app.
- All Folders (optional). Default location is the Personal folder in your Library. If desired, you can choose a different location and/or click New Folder to add it to a new folder.
- Data Source. Select one of the following options:
- Click Next.
- Look for the dialog confirming that your app was installed successfully.
Once an app is installed, it will appear in your Personal folder or the folder that you specified. From here, you can share it with other users in your organization. Dashboard panels will automatically start to fill with data matching the time range query received since you created the panel. Results won't be available immediately, but within about 20 minutes, you'll see completed graphs and maps.
Viewing GI CloudTrail Dashboards
This section provides descriptions and examples of the Global Intelligence for AWS CloudTrail App dashboards.
01 Attack Surface Benchmark
GI CloudTrail - 01 Attack Surface Benchmark dashboard provides insights into the volume, variety, and velocity of the AWS infrastructure that are correlated with greater breach risks. The number of distinct AWS services in use measures variety, the number of distinct AWS resources measures volume while CloudTrail events measure velocity. The volume dimension only counts resources from 7 services noted above while the variety dimension includes all services referenced in your AWS CloudTrail data. These factors are also used to cohort customers into peer groups. Configuration changes are baselined by peer group to compare the configuration changes of a company and their related breach risks.
Use this dashboard to understand how your company compares to peers with respect to the following:
- Variety: Number of distinct services in use among EC2, S3, KMS, IAM, Lambda, Redshift and RDS
- Volume: Number unique AWS resources within each service
- Velocity: The number of create, update, or delete events across all resources within the company
02 Tactics and Techniques: My Company v. Peers
GI CloudTrail - 02 Tactics and Techniques: My Company v. Peers dashboard uses ATT&CK to organize tactics implied by AWS CloudTrail events that appear in your infrastructure and shows the comparison to other AWS customers in your peer group. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
Use this dashboard to:
- Understand how attack tactics & techniques in my company differ from peers.
- Analyze findings organized by the following ATT&CK techniques:
- Credential Access
- Defense Evasion
- Discovery
- Execution
- Exfiltration
- Initial Access
- Lateral Movement
- Persistence
- Privilege Escalation
03 Tactics by Resource Type: My Company v. Peers
GI CloudTrail - 03 Tactics by Resource Type: My Company v. Peers dashboard utilizes ATT&CK tactics implied by AWS CloudTrail events and maps them to the resources they impact. It also presents data for comparisons of your company impacted resources against that of your peers.
Use this dashboard to:
- Understand tactics and techniques for my company versus peers.
- Analyze results organized by the following AWS services:
- Amazon EC2: count of compute instances, security groups, route tables and Amaon Machine Images
- Amazon S3: count of buckets
- Amazon RDS: count of database instances, DB security groups
- Amazon Redshift: count of database clusters and parameter groups
- AWS Lambda: count of function names
- AWS IAM: count of IAM users, roles and groups
- AWS CloudTrail: counts of trail instances
- S3 Tactics
04 Action Plan
GI CloudTrail - 04 Action Plan dashboard identifies the affected resources for every notable event. This data then enables you to create a proactive action plan for your environment.
Use this dashboard to:
- Create an action plan from the findings of Global Intelligence for AWS CloudTrail.
- Implement and then review the progress of the plan.