Integrating AWS CloudTrail in Wazuh

[Van Than Vu]

Hi Wazuh Experts, 

I'm following this guide to integrating AWS CloudTrail in Wazuh. Everything is working fine like that blog guide me, but I have seen a problem here. Can you please help me clarify?

1- The thing is, Agent. name has received the Wazuh Manager's hostname. As far I know, in AWS CloudTrail, we can know someone who deleted Security Group/Stop/Start EC2, Create Users, Login Failed, etc. I need to display it on Elastic Search with AWS Account instead Wazuh Manager's hostname

2- If I have multiple AWS Account with each of them, I will have an AWS Cloud Trail with different names. How can I distinguish between them (Account A has data.aws.source from Cloud Trail A, Account B has data.aws.source from CloudTrail B, I need to display this format on Elastic Search.) 

Regards, 

[carlos...@wazuh.com]

Hi,

I'm glad you found our CloudTrail blog guide useful. I will try to answer your questions as best as possible.

The agent.name field is intended to be used to identify which Wazuh agent or Wazuh Manager sent the alert, as you can configure the Wazuh AWS integration in several nodes at the same time. This is the expected behaviour. However, you have the information you may need to identify who triggered the alert within the data.aws.userIdentity fields. There you can find useful information such as data.aws.userIdentity.arn, data.aws.userIdentity.username and so on.

Regarding your second question, the data.aws.source value will always be cloudtrail as this field is used to distinguish alerts coming from different AWS services, such as CloudTrail, CloudWatchLogs, etc. However, if you are monitoring different buckets using the same Wazuh manager or Wazuh agent you can distinguish and filter alerts based on from which account they are coming from by using the data.aws.log_info.s3bucket field. In the same way, if you want to monitor the same bucket with several different account ids you could use the data.aws.aws_account_id field to see which account is reporting that alert.

Let me know if this solves your questions. Do not hesitate to contact back if you have any doubt regarding this topic.

[Van Than Vu]

Hi Carlos, 

Thank you for quick response, so let me describe my scenario again.

1- I have configured AWS CloudTrail/AWS S3 bucket to send an alert directly to Wazuh Manager, not through Wazuh Agent. So, I think it's receiving agent.name is the hostname of the Wazuh Manager. I need to match agent.name with AWS Account ID. As you can see below, if I don't match agent.name with AWS Account ID, how can I know it with another AWS Account? Please let me know.

cat /var/ossec/etc/ossec.conf

<wodle name="aws-s3">

  <disabled>no</disabled>

  <interval>10m</interval>

  <run_on_start>yes</run_on_start>

  <skip_on_error>yes</skip_on_error>

  <bucket type="cloudtrail">

    <name>wazuh-firehose-training</name>

    <aws_profile>default</aws_profile>

  </bucket>

</wodle>

2- Regarding previously my second question, I would like to monitor and display as below: 

agent.name with AWS Account ID

Apple                   189324092507

Sony                     189324888888

Could you please share with me ossec.conf configure has different buckets & different account ids?

Regards,  

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/HFzXrjWQwU4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7544c3cb-868f-4bf3-8fe9-9cf7017be5f2n%40googlegroups.com.

[carlos...@wazuh.com]

Hi again,

Sorry for the confusion. I was finding it a bit difficult to fully understand exactly what you meant.

Let me clarify how the agent.name works in first place.The agent.name you are receiving is the hostname of your Wazuh manager. Every Wazuh manager comes with an special agent integrated so it is abe to monitor itself. This agent is the agent 000, as you can see in your attached screenshots. You cannot change the value of the agent.name field to match the AWS Account ID as this field is not intended to be used for that purpose.

However, if you need to be able to see the Account name for each alert, so you can distinguish if the given alert comes from the AWS account A (Sony) or the AWS account B (Apple) you could use the data.aws.log_info.aws_account_alias field instead. Here is an example:

To have this field available you need to provide the account alias within the AWS module configuration in the ossec.conf, like this:

<wodle name="aws-s3">

  <disabled>no</disabled>

  <interval>10m</interval>

  <run_on_start>yes</run_on_start>

  <skip_on_error>yes</skip_on_error>

  <bucket type="cloudtrail">

    <name>wazuh-firehose-training</name>

    <aws_account_id>123456789012</aws_account_id>

    <aws_account_alias>Sony</aws_account_alias>

    <aws_profile>default</aws_profile>

  </bucket>

  <bucket type="cloudtrail">

    <name>wazuh-firehose-training</name>

    <aws_account_id>987654321091</aws_account_id>

    <aws_account_alias>Apple</aws_account_alias>

    <aws_profile>default</aws_profile>

  </bucket>

</wodle>

You can configure as many buckets within the aws-s3 wodle section as you may need and also use different bucket types such as CloudTrail or GuardDuty at the same time in the same agent/manager. Here you can find more information about the  bucket options available.

[Van Than Vu]

Hi Carlos, 

Thank you very much for your reply. I appreciate the detail you went into previously in the email that I mentioned has been solved. I am grateful for the amount of time and effort you put into this helping us. Your insights and summary are beneficial. But we still have a bug I will show off for you here.

As far as know, we will discuss two methodologies to send the logs from AWS CloudTrail/CloudWatch Logs/ etc. to Wazuh Manager as the diagram below:

AWS ==> Wazuh Manager (directly)

In this previous message you have helped me distinguish if the given alert comes from the AWS account A (Sony) or the AWS account B (Apple) you could use the data.aws.log_info.aws_account_alias field instead. I have tested it carefully and it's exactly what I 'm looking for.

AWS ==> Agent (bug here). 

Errors in ossec.log

I did this by executing the following command:

/var/ossec/etc/ossec.conf (in Wazuh Agent)

<wodle name="aws-s3">
  <disabled>no</disabled>
  <interval>10m</interval>
  <run_on_start>yes</run_on_start>
  <skip_on_error>yes</skip_on_error>
  <bucket type="cloudtrail">

    <name>misp-firehose-training</name>

    <aws_profile>default</aws_profile>
  </bucket>
</wodle>

I have run the modules in debug mode with pkill wazuh-modulesd & var/ossec/bin/wazuh-modulesd -fd

2021/03/10 13:59:13 sca[27926] wm_sca.c:1561 at wm_sca_read_command(): DEBUG: Executing command 'dpkg -s prelink', and testing output with pattern 'r:install ok installed'
2021/03/10 13:59:13 wazuh-modulesd:aws-s3[27926] wm_aws.c:396 at wm_aws_run_s3(): WARNING: Bucket:  -  Returned exit code 1
2021/03/10 13:59:13 wazuh-modulesd:aws-s3[27926] wm_aws.c:400 at wm_aws_run_s3(): WARNING: Bucket:  -  Unknown error.
2021/03/10 13:59:13 wazuh-modulesd:aws-s3[27926] wm_aws.c:420 at wm_aws_run_s3(): DEBUG: Bucket:  -  OUTPUT: Traceback (most recent call last):
  File "/var/ossec/wodles/aws/aws-s3", line 48, in <module>
    from datetime import timezone
ImportError: cannot import name timezone

I have attached some more in detail for you. 

Regards,  

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e06b129b-419b-4cd4-85c4-4aaefaacd901n%40googlegroups.com.

[David José Iglesias Lopez]

Hello,

It looks as if the python interpreter in the Wazuh agent is using python2.

From here https://stackoverflow.com/questions/50615133/python-cannot-import-timezone-but-can-import-datetime I can see that timezone was included in python 3.2. The Wazuh Manager comes with everything needed by default to run the AWS modules, but for the Wazuh Agent there are some extra steps as it does not come with embedded python. Could you upgrade to python > 3.2 and try again? I believe that is the issue in your agent logs.

Regards,

David J. Iglesias

[Van Than Vu]

Hi David, 

Thank you for your reply. It has been constructive with your suggestions. I appreciate it.

I did remove Python 2.7/Boto 3 and reinstall Python 3/Boto3. You fixed it

I'm glad to be here. Thank you all, Wazuh Experts, for changing the world.

Regards, 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/dc317fbd-3beb-48ab-8a78-5b402848cb92n%40googlegroups.com.