Additional AWS EventNames

On Monday, October 4, 2021, Apache published an advisory on CVE-2021-41773, Amazon CloudTrail is an excellent data source with a lot of API call history that allows us to keep track of who is attempting to do what in our AWS accounts.

But there is a little bit of problem with that too. We have a lot of call logging to analyze because every call is logged (including role assumption, role switching, and even the creation of a log stream).

According to a study, out of 400 million Cloud Trail Events, users just want only1 in 25,000 to be alerted of CloudTrail events. That’s an incredible signal-to-noise ratio!

Wazuh has a CDB List of AWS EventNames to reduce the signal-to-noise ratio and get the appropriate logs which needs to be monitored.

What is a CDB List?

A CDB List (Constant Database) is a collection of values that are compared to a field extracted by a decoder.  A custom rule checks whether the IP, user, or any other extracted information is present in the list from which we can determine whether or not to generate an alert based on the outcome.

How does it works with Wazuh?

Wazuh is a free, open source, enterprise-ready security monitoring technology that detects threats, monitors integrity, responds to incidents, and ensures compliance.

This feature’s primary purpose is to create a white/black list of users, file hashes, IP addresses, and domain names.

The list file is a simple text file with the following format for each line:

key1:value1

key2:value2

Each key must be unique, be preceded by a colon, and can contain an optional value. The value can be the others, but the key must be unique.

We can determine the existence or absence of a field in a list using a key. We can utilize a value as some rule criteria by adding it. For example, if we have account names (keys) that are linked to department names (values), we may create an alert that is triggered when a user who is not from the finance department connects into the finance server.

Adding Additonal AWS EventNames in the CDB List

Wazuh has a default CDB list for AWS EventNames located in /var/ossec/etc/lists/amazon/aws-EventNames consisting of 346 EventNames by default.

There are some more AWS EventNames to be added of which logs are needed to be monitored:

:ELB

:IAM
DeleteSigningCertificate:IAM
DeleteSSHPublicKey:IAM
DeleteUser:IAM
DeleteUserPolicy:IAM
DeleteVirtualMFADevice:IAM
DetachGroupPolicy:IAM
DetachRolePolicy:IAM
DetachUserPolicy:IAM
EnableMFADevice:IAM

:S3
PutObjectLegalHold:S3
PutObjectAcl:S3
PutObject:S3
ListObjects:S3
ListMultipartUploadParts:S3
ListBucketMultipartUploads:S3
ListBucketVersions:S3
ListBucket:S3
GetObjectVersionTagging:S3
GetObjectVersionAcl:S3
GetObjectVersion:S3
GetObjectTagging:S3
GetObjectRetention:S3
GetObjectAcl:S3
GetObject:S3
DeleteObjectVersionTagging:S3
DeleteObjectVersion:S3
DeleteObjectTagging:S3
DeleteObject:S3
DeleteObjects:S3
ObjectCreated:S3
GetBucketReplication:S3
GetBucketRequestPayment:S3
ListTables:DynamoDB
ListBackups:DynamoDB
DescribeTableStatistics:DynamoDB
DescribeTableSettings:DynamoDB
DescribeKinesisStreamingDestination:DynamoDB
CreateByteMatchSet:WAF
CreateIPSet:WAF
CreateRule:WAF
CreateSizeConstraintSet:WAF
CreateSqlInjectionMatchSet:WAF
CreateWebACL:WAF
CreateXssMatchSet:WAF
DeleteByteMatchSet:WAF
DeleteIPSet:WAF
DeleteRule:WAF
DeleteSizeConstraintSet:WAF
DeleteSqlInjectionMatchSet:WAF
DeleteWebACL:WAF
DeleteXssMatchSet:WAF
UpdateByteMatchSet:WAF

:SSO
CreateUser:SSO
DeleteExternalIdPConfigurationForDirectory:SSO
DeleteGroup:SSO
DeleteMfaDeviceForUser:SSO
DeleteUser:SSO
DescribeDirectory:SSO
DescribeGroups:SSO
DescribeUsers:SSO
DisableExternalIdPConfigurationForDirectory:SSO
DisableUser:SSO
EnableExternalIdPConfigurationForDirectory:SSO
EnableUser:SSO
GetAWSSPConfigurationForDirectory:SSO
ListExternalIdPConfigurationsForDirectory:SSO
ListGroupsForUser:SSO
ListMembersInGroup:SSO
ListMfaDevicesForUser:SSO
PutMfaDeviceManagementForDirectory:SSO
RemoveMemberFromGroup:SSO
SearchGroups:SSO
SearchUsers:SSO
StartVirtualMfaDeviceRegistration:SSO
StartWebAuthnDeviceRegistration:SSO
UpdateExternalIdPConfigurationForDirectory:SSO
UpdateGroup:SSO
UpdateMfaDeviceForUser:SSO
UpdatePassword:SSO
UpdateUser:SSO
VerifyEmail:SSO
CreateToken:SSO
RegisterClient:SSO
StartDeviceAuthorization:SSO
Authenticate:SSO
Federate:SSO

For reference: There are more than 3000 EventNames which you can find on:

https://gist.github.com/pkazi/8b5a1374771f6efa5d55b92d8835718c

This list of AWS EventNames is to be added in /var/ossec/etc/lists/amazon/aws-EventNames.

For the new setting to take effect we need to restart the Wazuh manager.

service wazuh-manager restart

We can see here, the changes from the additional list in the aws-EventNames file now reflects in the list.

With the help of this decoders and rules, we will get our events triggered and we will find it under the Security Events.

<decoder name="json"> 

  <prematch>^{\s*"</prematch> 

  <plugin_decoder>JSON_Decoder</plugin_decoder> 

</decoder>

d,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_SI.4,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>

<options>no_full_log</options>

</rule>

</group>

Here are the events which you can see in the Security Events for monitoring.

Conclusion

Using Wazuh and CloudTrail, we can reduce the signal-to-noise ratio and this is how we will get the AWS EventNames events in the security events and catch if any suspicious event that has occurred.

What is a CDB List?

How does it works with Wazuh?

Adding Additonal AWS EventNames in the CDB List

Conclusion

Our latest blogs

Welcome to the single source of truth you need for cybersecurity.