Additional AWS EventNames

Additional AWS EventNames


On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, Amazon CloudTrail is an excellent data source with a lot of API call history that allows us to keep track of who is attempting to do what in our AWS accounts.

But there is a little bit of problem with that too. We have a lot of call logging to analyze because every call is logged (including role assumption, role switching, and even the creation of a log stream).

According to a study, out of 400 million Cloud Trail Events, users just want only1 in 25,000 to be alerted of CloudTrail events. That’s an incredible signal-to-noise ratio!

Wazuh has a CDB List of AWS EventNames to reduce the signal-to-noise ratio and get the appropriate logs which needs to be monitored.

What is a CDB List?

A CDB List (Constant Database) is a collection of values that are compared to a field extracted by a decoder.  A custom rule checks whether the IP, user, or any other extracted information is present in the list from which we can determine whether or not to generate an alert based on the outcome.

How does it works with Wazuh?

Wazuh is a free, open source, enterprise-ready security monitoring technology that detects threats, monitors integrity, responds to incidents, and ensures compliance.

This feature’s primary purpose is to create a white/black list of users, file hashes, IP addresses, and domain names.

The list file is a simple text file with the following format for each line:

key1:value1

key2:value2

Each key must be unique, be preceded by a colon, and can contain an optional value. The value can be the others, but the key must be unique.

We can determine the existence or absence of a field in a list using a key. We can utilize a value as some rule criteria by adding it. For example, if we have account names (keys) that are linked to department names (values), we may create an alert that is triggered when a user who is not from the finance department connects into the finance server.

Adding Additonal AWS EventNames in the CDB List

Wazuh has a default CDB list for AWS EventNames located in /var/ossec/etc/lists/amazon/aws-EventNames consisting of 346 EventNames by default.

There are some more AWS EventNames to be added of which logs are needed to be monitored:

AttachLoadBalancers:Autoscaling 
DetachLoadBalancers:Autoscaling 
PutScalingPolicy:Autoscaling 
TerminateInstanceInAutoScalingGroup:Autoscaling 
CancelUpdateStack:Cloudformation 
CreateStack:Cloudformation 
DeleteStack:Cloudformation 
UpdateStack:Cloudformation 
DeleteConfigRule:AWS Config 
DeleteConfigurationRecorder:AWS Config 
DeleteDeliveryChannel:AWS Config 
DeleteEvaluationResults:AWS Config 
PutConfigurationRecorder:AWS Config 
PutConfigRule:AWS Config 
PutDeliveryChannel:AWS Config 
PutEvaluations:AWS Config 
StartConfigRulesEvaluation:AWS Config 
StartConfigurationRecorder:AWS Config 
StopConfigurationRecorder:AWS Config 
RunInstances:EC2 
StartInstances:EC2 
StopInstances:EC2 
TerminateInstances:EC2 
UpdateInstanceInformation:EC2 
DescribeAddresses:EC2 
DescribeKeyPairs:EC2 
DescribeNetworkAcls:EC2 
DescribeSecurityGroups:EC2 
DescribeVpcs:EC2 
AbortEnvironmentUpdate:Elastic Beanstalk 
CreateApplication:Elastic Beanstalk 
CreateApplicationVersion:Elastic Beanstalk 
CreateConfigurationTemplate:Elastic Beanstalk 
CreateEnvironment:Elastic Beanstalk 
CreateStorageLocation:Elastic Beanstalk 
DeleteApplication:Elastic Beanstalk 
DeleteStack:Cloudformation 
UpdateStack:Cloudformation 
DeleteConfigRule:AWS Config 
DeleteConfigurationRecorder:AWS Config 
DeleteDeliveryChannel:AWS Config 
DeleteEvaluationResults:AWS Config 
PutConfigurationRecorder:AWS Config 
PutConfigRule:AWS Config 
PutDeliveryChannel:AWS Config 
PutEvaluations:AWS Config 
StartConfigRulesEvaluation:AWS Config 
StartConfigurationRecorder:AWS Config 
StopConfigurationRecorder:AWS Config 
RunInstances:EC2 
StartInstances:EC2 
StopInstances:EC2 
TerminateInstances:EC2 
UpdateInstanceInformation:EC2 
DescribeAddresses:EC2 
DescribeKeyPairs:EC2 
DescribeNetworkAcls:EC2 
DescribeSecurityGroups:EC2 
DescribeVpcs:EC2 
AbortEnvironmentUpdate:Elastic Beanstalk 
CreateApplication:Elastic Beanstalk 
CreateApplicationVersion:Elastic Beanstalk 
CreateConfigurationTemplate:Elastic Beanstalk 
CreateEnvironment:Elastic Beanstalk 
CreateStorageLocation:Elastic Beanstalk 
DeleteApplication:Elastic Beanstalk 
DeleteApplicationVersion:Elastic Beanstalk 
DeleteConfigurationTemplate:Elastic Beanstalk 
DeleteEnvironmentConfiguration:Elastic Beanstalk 
RebuildEnvironment:Elastic Beanstalk 
RestartAppServer:Elastic Beanstalk 
SwapEnvironmentCNAMEs:Elastic Beanstalk 
TerminateEnvironment:Elastic Beanstalk 
UpdateApplication:Elastic Beanstalk 
UpdateApplicationVersion:Elastic Beanstalk 
UpdateConfigurationTemplate:Elastic Beanstalk 
UpdateEnvironment:Elastic Beanstalk 
CreateFileSystem:EFS 
CreateMountTarget:EFS 
DeleteFileSystem:EFS 
DeleteMountTarget:EFS 
CreateListener:ELB 
CreateLoadBalancer:ELB 
CreateLoadBalancerListeners:ELB 
CreateLoadBalancerPolicy:ELB 
CreateTargetGroup:ELB 
DeleteListener:ELB 
DeleteLoadBalancer:ELB 
DeleteLoadBalancerListeners:ELB 
DeleteLoadBalancerPolicy:ELB 
DeleteTargetGroup:ELB 
DeregisterInstancesFromLoadBalancer:ELB 
DeregisterTargets:ELB 
DetachLoadBalancerFromSubnets:ELB 
DisableAvailabilityZonesForLoadBalancer:ELB 
EnableAvailabilityZonesForLoadBalance:ELB 
ModifyListener:ELB 
ModifyLoadBalancerAttributes:ELB 

ModifyRule:ELB 
ModifyTargetGroup:ELB 
ModifyTargetGroupAttributes:ELB 
RegisterInstancesWithLoadBalancer:ELB 
RegisterTargets:ELB 
RemoveTags:ELB 
CreateDBCluster:RDS 
CreateDBClusterParameterGroup:RDS 
CreateDBClusterSnapshot:RDS 
CreateDBInstance:RDS 
CreateDBInstanceReadReplica:RDS 
CreateDBParameterGroup:RDS 
CreateDBSnapshot:RDS 
CreateDBSubnetGroup:RDS 
CreateOptionGroup:RDS 
DeleteDBCluster:RDS 
DeleteDBClusterParameterGroup:RDS 
DeleteDBClusterSnapshot:RDS 
DeleteDBInstance:RDS 
DeleteDBParameterGroup:RDS 
DeleteDBSnapshot:RDS 
DeleteDBSubnetGroup:RDS 
DeleteOptionGroup:RDS 
FailoverDBCluster:RDS 
ModifyDBCluster:RDS 
ModifyDBClusterParameterGroup:RDS 
ModifyDBInstance:RDS 
ModifyDBParameterGroup:RDS 
ModifyDBSnapshotAttribute:RDS 
ModifyDBSubnetGroup:RDS 
ModifyOptionGroup:RDS 
PromoteReadReplica:RDS 
RebootDBInstance:RDS 
ResetDBClusterParameterGroup:RDS 
ResetDBParameterGroup:RDS 
RestoreDBClusterFromSnapshot:RDS 
RestoreDBClusterToPointInTime:RDS 
RestoreDBInstanceFromDBSnapshot:RDS 
RestoreDBInstanceToPointInTime:RDS 
ChangeResourceRecordSets:Route53 
DeleteHealthCheck:Route53 
CreateBucket:S3 
DeleteBucket:S3 
DeleteBucketLifecycle:S3 
DeleteBucketReplication:S3 
DeleteBucketTagging:S3 
PutBucketLifecycle:S3 
PutBucketLogging:S3 
PutBucketNotification:S3 
PutBucketReplication:S3 
PutBucketRequestPayment:S3 
PutBucketTagging:S3 
PutBucketVersioning:S3 
GetBucketLogging:S3 
GetBucketPolicy:S3 
GetBucketPolicyStatus:S3 
ConsoleLogin:Access 
ExitRole:Access 
RenewRole:Access 
SwitchRole:Access 
DeleteCertificate:Certificate Manager 
RequestCertificate:Certificate Manager 
ResendValidationEmail:Certificate Manager 
StopLogging:Cloudtrail 
AllocateConnectionOnInterconnect:Direct Connect 
AllocateHostedConnection:Direct Connect 
AllocatePrivateVirtualInterface:Direct Connect 
AllocatePublicVirtualInterface:Direct Connect 
AssociateConnectionWithLag:Direct Connect 
AssociateHostedConnection:Direct Connect 
AssociateVirtualInterface:Direct Connect 
ConfirmConnection:Direct Connect 
ConfirmPrivateVirtualInterface:Direct Connect 
ConfirmPublicVirtualInterface:Direct Connect 
CreateConnection:Direct Connect 
CreateInterconnect:Direct Connect 
CreateLag:Direct Connect 
CreatePrivateVirtualInterface:Direct Connect 
CreatePublicVirtualInterface:Direct Connect 
DeleteConnection:Direct Connect 
DeleteInterconnect:Direct Connect 
DeleteLag:Direct Connect 
DeleteVirtualInterface:Direct Connect 
DisassociateConnectionFromLag:Direct Connect 
UpdateLag:Direct Connect 
AssociateIamInstanceProfile:EC2 - VPC 
AssociateAddress:EC2 - VPC 
AssociateRouteTable:EC2 - VPC 
AssociateSubnetCidrBlock:EC2 - VPC 
AssociateVpcCidrBlock:EC2 - VPC 
AttachClassicLinkVpc:EC2 - VPC 
AttachInternetGateway:EC2 - VPC 
AttachNetworkInterface:EC2 - VPC 
AllocateAddress:EC2 - VPC 
AssignPrivateIpAddresses:EC2 - VPC 
AttachVpnGateway:EC2 - VPC 
CreateKeyPair:EC2 - VPC 
CreateNatGateway:EC2 - VPC 
CreateNetworkAcl:EC2 - VPC 
CreateNetworkAclEntry:EC2 - VPC 
CreateNetworkInterface:EC2 - VPC 
CreateRoute:EC2 - VPC 
CreateRouteTable:EC2 - VPC 
CreateSecurityGroup:EC2 - VPC 
CreateVpc:EC2 - VPC 
CreateVpcEndpoint:EC2 - VPC 
CreateVpcPeeringConnection:EC2 - VPC 
CreateVpnConnection:EC2 - VPC 
CreateVpnConnectionRoute:EC2 - VPC 
CreateVpnGateway:EC2 - VPC 
DeleteCustomerGateway:EC2 - VPC 
DeleteDhcpOptions:EC2 - VPC 
DeleteEgressOnlyInternetGateway:EC2 - VPC 
DeleteInternetGateway:EC2 - VPC 
DeleteKeyPair:EC2 - VPC 
DeleteNatGateway:EC2 - VPC 
DeleteNetworkAcl:EC2 - VPC 
DeleteNetworkAclEntry:EC2 - VPC 
DeleteNetworkInterface:EC2 - VPC 
DeleteRoute:EC2 - VPC 
DeleteRouteTable:EC2 - VPC 
DeleteSecurityGroup:EC2 - VPC 
DeleteVpcEndpoints:EC2 - VPC 
DeleteVpcPeeringConnection:EC2 - VPC 
DeleteVpnConnection:EC2 - VPC 
DeleteVpnConnectionRoute:EC2 - VPC 
DeleteVpnGateway:EC2 - VPC 
DetachClassicLinkVpc:EC2 - VPC 
DetachInternetGateway:EC2 - VPC 
DetachNetworkInterface:EC2 - VPC 
DetachVolume:EC2 - VPC 
DetachVpnGateway:EC2 - VPC 
DisableVgwRoutePropagation:EC2 - VPC 
DisableVpcClassicLink:EC2 - VPC 
DisassociateAddress:EC2 - VPC 
DisassociateIamInstanceProfile:EC2 - VPC 
DisassociateRouteTable:EC2 - VPC 
DisassociateSubnetCidrBlock:EC2 - VPC 
DisassociateVpcCidrBlock:EC2 - VPC 
EnableVgwRoutePropagation:EC2 - VPC 
EnableVolumeIO:EC2 - VPC 
EnableVpcClassicLink:EC2 - VPC 
AuthorizeSecurityGroupEgress:EC2 - Security Groups 
AuthorizeSecurityGroupIngress:EC2 - Security Groups 
RevokeSecurityGroupEgress:EC2 - Security Groups 
RevokeSecurityGroupIngress:EC2 - Security Groups 
ModifyMountTargetSecurityGroups:EFS 
ApplySecurityGroupsToLoadBalancer:ELB 
SetSecurityGroups:ELB 
AuthorizeCacheSecurityGroupIngress:ElastiCache 
CreateCacheSecurityGroup:ElastiCache 
DeleteCacheSecurityGroup:ElastiCache 
RevokeCacheSecurityGroupIngress:ElastiCache 
AddClientIDToOpenIDConnectProvider:IAM 
AddRoleToInstanceProfile:IAM 
AddUserToGroup:IAM 
AttachGroupPolicy:IAM 
AttachRolePolicy:IAM 
AttachUserPolicy:IAM 
ChangePassword:IAM 
CreateAccessKey:IAM 
CreateAccountAlias:IAM 
CreateGroup:IAM 
CreateInstanceProfile:IAM 
CreateLoginProfile:IAM 
CreateOpenIDConnectProvider:IAM 
CreatePolicy:IAM 
CreatePolicyVersion:IAM 
CreateRole:IAM 
CreateSAMLProvider:IAM 
CreateUser:IAM 
CreateVirtualMFADevice:IAM 
DeactivateMFADevice:IAM 
DeleteAccessKey:IAM 
DeleteAccountAlias:IAM 
DeleteAccountPasswordPolicy:IAM 
DeleteGroup:IAM 
DeleteGroupPolicy:IAM 
DeleteInstanceProfile:IAM 
DeleteLoginProfile:IAM 
DeleteOpenIDConnectProvider:IAM 
DeletePolicy:IAM 
DeletePolicyVersion:IAM 
DeleteRole:IAM 
DeleteRolePolicy:IAM 
DeleteSAMLProvider:IAM 
DeleteServerCertificate:IAM 
DeleteSigningCertificate:IAM 
DeleteSSHPublicKey:IAM 
DeleteUser:IAM 
DeleteUserPolicy:IAM 
DeleteVirtualMFADevice:IAM 
DetachGroupPolicy:IAM 
DetachRolePolicy:IAM 
DetachUserPolicy:IAM 
EnableMFADevice:IAM 
PutGroupPolicy:IAM 
PutRolePolicy:IAM 
PutUserPolicy:IAM 
RemoveClientIDFromOpenIDConnectProvider:IAM 
RemoveRoleFromInstanceProfile:IAM 
RemoveUserFromGroup:IAM 
ResyncMFADevice:IAM 
SetDefaultPolicyVersion:IAM 
UpdateAccessKey:IAM 
ListAccessKey:IAM 
ListSSHPublicKeys:IAM 
UpdateAccountPasswordPolicy:IAM 
UpdateAssumeRolePolicy:IAM 
UpdateGroup:IAM 
UpdateLoginProfile:IAM 
UpdateOpenIDConnectProviderThumbprint:IAM 
UpdateSAMLProvider:IAM 
UpdateServerCertificate:IAM 
UpdateSigningCertificate:IAM 
UpdateSSHPublicKey:IAM 
UpdateUser:IAM 
UploadServerCertificate:IAM 
UploadSigningCertificate:IAM 
UploadSSHPublicKey:IAM 
GetInstanceProfile:IAM 
GetUser:IAM 
ListUserPolicies:IAM 
ListUserTags:IAM 
AssumeRole:STS 
AuthorizeSnapshotAccess:Redshift 
RevokeSnapshotAccess:Redshift 
RotateEncryptionKey:Redshift 
AuthorizeClusterSecurityGroupIngress:Redshift 
CreateClusterSecurityGroup:Redshift 
DeleteClusterSecurityGroup:Redshift 
RevokeClusterSecurityGroupIngress:Redshift 
AuthorizeDBSecurityGroupIngress:RDS 
CreateDBSecurityGroup:RDS 
DeleteDBSecurityGroup:RDS 
RevokeDBSecurityGroupIngress:RDS 
DeleteBucketCors:S3 
DeleteBucketPolicy:S3 
DeleteBucketWebsite:S3 
PutBucketAcl:S3 
PutBucketCors:S3 
PutBucketPolicy:S3 
PutBucketWebsite:S3 
RestoreObject:S3 
ReplicateTags:S3 
ReplicateObject:S3 
ReplicateDelete:S3 
PutObjectVersionTagging:S3 
PutObjectVersionAcl:S3 
PutObjectTagging:S3 
PutObjectRetention:S3 
PutObjectLegalHold:S3 
PutObjectAcl:S3 
PutObject:S3 
ListObjects:S3 
ListMultipartUploadParts:S3 
ListBucketMultipartUploads:S3 
ListBucketVersions:S3 
ListBucket:S3 
GetObjectVersionTagging:S3 
GetObjectVersionAcl:S3 
GetObjectVersion:S3 
GetObjectTagging:S3 
GetObjectRetention:S3 
GetObjectAcl:S3 
GetObject:S3 
DeleteObjectVersionTagging:S3 
DeleteObjectVersion:S3 
DeleteObjectTagging:S3 
DeleteObject:S3 
DeleteObjects:S3 
ObjectCreated:S3 
GetBucketReplication:S3 
GetBucketRequestPayment:S3 
ListTables:DynamoDB 
ListBackups:DynamoDB 
DescribeTableStatistics:DynamoDB 
DescribeTableSettings:DynamoDB 
DescribeKinesisStreamingDestination:DynamoDB 
CreateByteMatchSet:WAF 
CreateIPSet:WAF 
CreateRule:WAF 
CreateSizeConstraintSet:WAF 
CreateSqlInjectionMatchSet:WAF 
CreateWebACL:WAF 
CreateXssMatchSet:WAF 
DeleteByteMatchSet:WAF 
DeleteIPSet:WAF 
DeleteRule:WAF 
DeleteSizeConstraintSet:WAF 
DeleteSqlInjectionMatchSet:WAF 
DeleteWebACL:WAF 
DeleteXssMatchSet:WAF 
UpdateByteMatchSet:WAF 
UpdateIPSet:WAF 
UpdateRule:WAF 
UpdateSizeConstraintSet:WAF 
UpdateSqlInjectionMatchSet:WAF 
UpdateWebACL:WAF 
UpdateXssMatchSet:WAF 
AssociateDhcpOptions:Legacy Wazuh CDB 
AttachVolume:Legacy Wazuh CDB 
CopySnapshot:Legacy Wazuh CDB 
CreateImage:Legacy Wazuh CDB 
CreatePlacementGroup:Legacy Wazuh CDB 
CreateSnapshot:Legacy Wazuh CDB 
CreateSubnet:Legacy Wazuh CDB 
CreateTags:Legacy Wazuh CDB 
CreateVolume:Legacy Wazuh CDB 
DeletePlacementGroup:Legacy Wazuh CDB 
DeleteSnapshot:Legacy Wazuh CDB 
DeleteTags:Legacy Wazuh CDB 
DeleteVolume:Legacy Wazuh CDB 
DeregisterImage:Legacy Wazuh CDB 
DisableKey:Legacy Wazuh CDB 
GetGroup:Legacy Wazuh CDB 
ListAliases:Legacy Wazuh CDB 
ListGroups:Legacy Wazuh CDB 
ListUsers:Legacy Wazuh CDB 
ModifyImageAttribute:Legacy Wazuh CDB 
ModifyInstanceAttribute:Legacy Wazuh CDB 
ModifyNetworkInterfaceAttribute:Legacy Wazuh CDB 
ModifySnapshotAttribute:Legacy Wazuh CDB 
ModifySubnetAttribute:Legacy Wazuh CDB 
ModifyVolumeAttribute:Legacy Wazuh CDB 
MonitorInstances:Legacy Wazuh CDB 
RebootInstances:Legacy Wazuh CDB 
RegisterImage:Legacy Wazuh CDB 
UnmonitorInstances:Legacy Wazuh CDB 
UpdateInstanceAlias:Legacy Wazuh CDB 
AddMemberToGroup:SSO 
CompleteVirtualMfaDeviceRegistration:SSO  
CompleteWebAuthnDeviceRegistration:SSO 
CreateAlias:SSO 
CreateExternalIdPConfigurationForDirectory:SSO 
CreateGroup:SSO 
CreateUser:SSO 
DeleteExternalIdPConfigurationForDirectory:SSO 
DeleteGroup:SSO 
DeleteMfaDeviceForUser:SSO 
DeleteUser:SSO 
DescribeDirectory:SSO 
DescribeGroups:SSO 
DescribeUsers:SSO 
DisableExternalIdPConfigurationForDirectory:SSO 
DisableUser:SSO 
EnableExternalIdPConfigurationForDirectory:SSO 
EnableUser:SSO 
GetAWSSPConfigurationForDirectory:SSO 
ListExternalIdPConfigurationsForDirectory:SSO 
ListGroupsForUser:SSO 
ListMembersInGroup:SSO 
ListMfaDevicesForUser:SSO 
PutMfaDeviceManagementForDirectory:SSO 
RemoveMemberFromGroup:SSO 
SearchGroups:SSO 
SearchUsers:SSO 
StartVirtualMfaDeviceRegistration:SSO 
StartWebAuthnDeviceRegistration:SSO 
UpdateExternalIdPConfigurationForDirectory:SSO 
UpdateGroup:SSO 
UpdateMfaDeviceForUser:SSO 
UpdatePassword:SSO 
UpdateUser:SSO 
VerifyEmail:SSO 
CreateToken:SSO 
RegisterClient:SSO 
StartDeviceAuthorization:SSO 
Authenticate:SSO 
Federate:SSO 

For reference: There are more than 3000 EventNames which you can find on:

https://gist.github.com/pkazi/8b5a1374771f6efa5d55b92d8835718c

This list of AWS EventNames is to be added in /var/ossec/etc/lists/amazon/aws-EventNames.

For the new setting to take effect we need to restart the Wazuh manager.

service wazuh-manager restart 
Step-1
Step-2
Step-3

We can see here, the changes from the additional list in the aws-EventNames file now reflects in the list.

With the help of this decoders and rules, we will get our events triggered and we will find it under the Security Events.

<decoder name="json"> 

  <prematch>^{\s*"</prematch> 

  <plugin_decoder>JSON_Decoder</plugin_decoder> 

</decoder> 
<group name="amazon,aws,"> 


    <!-- AWS wodle --> 

    <rule id="80200" level="0"> 

        <decoded_as>json</decoded_as> 

        <field name="integration">aws</field> 

        <description>AWS alert.</description> 

        <options>no_full_log</options> 

    </rule> 

 

    <!-- Cloudtrail --> 


    <!-- Filter by eventName: etc/lists/amazon/aws-eventnames --> 

    <rule id="80202" level="3"> 

        <if_sid>80200</if_sid> 

        <field name="aws.source">cloudtrail</field> 

        <list field="aws.eventName" lookup="match_key">etc/lists/amazon/aws-eventnames</list> 

        <description>AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName).</description> 

        <group>aws_cloudtrail,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group> 

        <options>no_full_log</options> 

    </rule> 

 

    <!-- If there is an error code: increase the level and change description --> 

    <rule id="80203" level="4"> 

        <if_sid>80202</if_sid> 

        <field name="aws.errorCode">\.+</field> 

        <description>AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName). Error: $(aws.errorCode).</description> 

        <group>aws_cloudtrail,pci_dss_10.6.1,amazon-error,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group> 

        <options>no_full_log</options> 

    </rule> 

 

    <!-- Specific rules --> 

 

    <!-- Events with errors --> 

    <rule id="80250" level="5"> 

        <if_sid>80203</if_sid> 

        <field name="aws.errorCode">AccessDenied</field> 

        <description>AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName). Error: $(aws.errorCode).</description> 

        <group>aws_cloudtrail,pci_dss_10.6.1,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.6,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC7.2,tsc_CC7.3,tsc_CC6.1,tsc_CC6.8,</group> 

        <options>no_full_log</options> 

    </rule> 

 

    <!-- Events with no errors --> 

    <rule id="80251" level="3"> 

        <if_sid>80202</if_sid> 

        <field name="aws.eventName">DeleteObjects</field> 

        <description>AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName).</description> 

<group>aws_cloudtrail,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group> 

        <options>no_full_log</options> 

    </rule> 

    <rule id="80252" level="10" frequency="22" timeframe="600"> 

        <if_matched_sid>80251</if_matched_sid> 

        <description>AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - high number of deleted object.</description> 

        <mitre> 

            <id>T1485</id> 

        </mitre> 

        <group>aws_cloudtrail,pci_dss_10.6.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_AU.6,tsc_CC7.2,tsc_CC7.3,</group> 

        <options>no_full_log</options> 

    </rule> 

 

    <!-- Logins --> 

    <rule id="80253" level="3"> 

        <if_sid>80202</if_sid> 

        <field name="aws.eventName">ConsoleLogin</field> 

        <description>AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - User Login Success.</description> 

        <mitre> 

            <id>T1078</id> 

        </mitre> 

        <group>aws_cloudtrail,authentication_success,pci_dss_10.2.5,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> 

        <options>no_full_log</options> 

    </rule> 

 

    <rule id="80254" level="5"> 

        <if_sid>80253</if_sid> 

        <field name="aws.responseElements.ConsoleLogin">Failure</field> 

        <description>AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - User Login failed.</description> 

        <group>aws_cloudtrail,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> 

        <options>no_full_log</options> 

    </rule> 

 

    <rule id="80255" level="10" frequency="6" timeframe="360"> 

        <if_matched_sid>80254</if_matched_sid> 

        <description>AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - Possible breaking attempt (high number of login attempts).</description> 

        <mitre> 

            <id>T1110</id> 

        </mitre> 

        <group>aws_cloudtrail,authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,gdpr_IV_35.7.d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> 

        <options>no_full_log</options> 

    </rule> 

 

</group> 

Login to your Invinsense Portal and open Wazuh

Step-4

Here are the events which you can see in the Security Events for monitoring.

Step-5
Step-6

Conclusion

Using Wazuh and CloudTrail, we can reduce the signal-to-noise ratio and this is how we will get the AWS EventNames events in the security events and catch if any suspicious event that has occurred.



Solutions

Solutions

Services

Services