Custom rules for AWS CloudTrail Logs
357 views
Skip to first unread message
Billy Gigurtsis
Sep 6, 2023, 8:18:23 AM9/6/23
to Wazuh | Mailing List
Hi all,
I'm on the latest version of Wazuh base. I'm ingesting my CloudTrail logs and trying to get some alerts going for when someone signs in from a certain country.
I have rebuilt my wazuh-manager to use GEOIP make TARGET=server USE_GEOIP=yes as per this guide: https://github.com/wazuh/wazuh/issues/4053#issuecomment-54106938. I think it's working as I'm not getting any errors even though my ossec.conf includes the geoip fields.
The logs (condensed version but it's the same nesting) look like this:
{
"data": {
"aws": {
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"eventType": "AwsConsoleSignIn",
"eventTime": "2023-09-06T09:44:26Z",
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2023-09-06T09:44:26Z"
}
},
"type": "AssumedRole"
},
"responseElements": {
"ConsoleLogin": "Success"
}
}
},
"GeoLocation": {
"country_name": "United Kingdom"
},
"rule": {
"description": "AWS Cloudtrail: signin.amazonaws.com - ConsoleLogin - User login success.",
"id": "80253",
"level": 3
},
"location": "Wazuh-AWS",
"decoder": {
"name": "json"
},
"timestamp": "2023-09-06T09:48:39.295+0000"
}
"data": {
"aws": {
"eventSource": "signin.amazonaws.com",
"eventName": "ConsoleLogin",
"eventType": "AwsConsoleSignIn",
"eventTime": "2023-09-06T09:44:26Z",
"userIdentity": {
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2023-09-06T09:44:26Z"
}
},
"type": "AssumedRole"
},
"responseElements": {
"ConsoleLogin": "Success"
}
}
},
"GeoLocation": {
"country_name": "United Kingdom"
},
"rule": {
"description": "AWS Cloudtrail: signin.amazonaws.com - ConsoleLogin - User login success.",
"id": "80253",
"level": 3
},
"location": "Wazuh-AWS",
"decoder": {
"name": "json"
},
"timestamp": "2023-09-06T09:48:39.295+0000"
}
Initially I tried the below rule (located in local_rules.xml) but did not get any hits:
<group name="aws,">
<rule id="100002" level="5">
<decoded_as>json</decoded_as>
<field name="data.aws.eventSource">signin.amazonaws.com</field>
<field name="GeoLocation.country_name">United Kingdom</field>
<description>AWS signin from the United Kingdom detected.</description>
</rule>
</group>
<rule id="100002" level="5">
<decoded_as>json</decoded_as>
<field name="data.aws.eventSource">signin.amazonaws.com</field>
<field name="GeoLocation.country_name">United Kingdom</field>
<description>AWS signin from the United Kingdom detected.</description>
</rule>
</group>
I then tried creating two separate rules to check where my problem is, also located in local_rules.xml but I am still not getting any alerts:
<group name="aws,">
<rule id="100002" level="5">
<field name="GeoLocation.country_name">United Kingdom</field>
<description>AWS signin from the United Kingdom detected.</description>
</rule>
</group>
<group name="aws,">
<rule id="100003" level="5">
<decoded_as>json</decoded_as>
<field name="data.aws.eventSource">signin.amazonaws.com</field>
<description>AWS signin detected.</description>
</rule>
</group>
My questions:
1. Do my rules look correct?
2. How would I test my rule with logtest considering it's a multi-line json log? I've tried something like the below single line json but it doesn't match.
{"data":{"aws":{"eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","eventType":"AwsConsoleSignIn","eventTime":"2023-09-06T09:44:26Z","userIdentity":{"sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2023-09-06T09:44:26Z"}},"type":"AssumedRole"},"responseElements":{"ConsoleLogin":"Success"}},"GeoLocation":{"country_name":"United Kingdom","city_name":"City","region_name":"Region"},"rule":{"description":"AWS Cloudtrail: signin.amazonaws.com - ConsoleLogin - User login success.","id":"80253","level":3},"location":"Wazuh-AWS","decoder":{"name":"json"},"timestamp":"2023-09-06T09:48:39.295+0000"}
3. How do I test that my GeoIP.db is working correctly so that I can process geolocation data through alerts/rules?
Thank you very much for any help!
Nicolas Stefani
Sep 6, 2023, 9:25:29 AM9/6/23
to Billy Gigurtsis, Wazuh | Mailing List
Hi Billy,
Looking at the example that you provided, I saw that rule 80253 is being triggered so maybe isn't needed to create a custom one.
Could you share the raw log from AWS to do some tests? Take care to remove any sensible data.
Also, what version of Wazuh have you installed?
Regards,
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5bf1f3e8-e175-4e81-8d1b-8548fd02f233n%40googlegroups.com.
 |
Nicolás Stefani Software Engineer |
Billy Gigurtsis
Sep 6, 2023, 9:39:08 AM9/6/23
to Wazuh | Mailing List
Think I replied privately, replying publicly in case this is helpful for anyome.
I'm on the latest version 4.5.1.
Here's my raw log but note that it doesnt include the geoip data that im also trying to alert on:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "email",
"arn": "arn",
"accountId": "id",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ID",
"arn": "arn",
"accountId": "id",
"userName": "user"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-06T13:14:06Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-09-06T13:14:06Z",
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "email",
"arn": "arn",
"accountId": "id",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "ID",
"arn": "arn",
"accountId": "id",
"userName": "user"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-09-06T13:14:06Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-09-06T13:14:06Z",
"awsRegion": "eu-west-2",
"sourceIPAddress": "ip",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4 Safari/605.1.15",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "id",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "account",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "eu-west-2.signin.aws.amazon.com"
}
}
"sourceIPAddress": "ip",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4 Safari/605.1.15",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Success"
},
"additionalEventData": {
"MobileVersion": "No",
"MFAUsed": "No"
},
"eventID": "id",
"readOnly": false,
"eventType": "AwsConsoleSignIn",
"managementEvent": true,
"recipientAccountId": "account",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "eu-west-2.signin.aws.amazon.com"
}
}
Nicolas Stefani
Sep 6, 2023, 12:53:51 PM9/6/23
to Billy Gigurtsis, Wazuh | Mailing List
Well, let's try this.
Here is a rule that inherits from 80253 and filters with the geolocation that you need
<group name="custom_cloudtrail,">
<rule id="100002" level="5">
<if_sid>80253</if_sid>
<field name="data.GeoLocation.country_name">United Kingdom</field>
<description>AWS signin from the United Kingdom detected.</description>
</rule>
</group>
Put it in your local_rules.xml.
To test it, use this template
{
"integration": "aws",
"aws": {
"log_info": {
"aws_account_alias": "",
"log_file": "the path of your file in aws",
"s3bucket": "the bucket name"
},
# put_your_raw_aws_log
"source": "cloudtrail",
"aws_account_id": "yor_aws_account_id",
"source_ip_address": "the_same_ip_from_log"
}
}
And replace them with the correct values. This is the data processed that the AWS module sends to analyze.
You need to have something like:
{
"integration": "aws",
"aws": {
"log_info": {
"aws_account_alias": "",
"log_file": "the path of your file in aws",
"s3bucket": "the bucket name"
},
"eventVersion": "1.08",
...
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "eu-west-2.signin.aws.amazon.com"
},
"source": "cloudtrail",
"aws_account_id": "yor_aws_account_id",
"source_ip_address": "the_same_ip_from_log"
}
}
Once you have it, transform the JSON to one line and do the log test with /var/ossec/bin/wazuh-logtest -v and see what rule matches.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5d8d589b-0c51-42b2-80bf-e4b03d3fc50bn%40googlegroups.com.
Billy Gigurtsis
Sep 7, 2023, 7:34:48 AM9/7/23
to Wazuh | Mailing List
The log template does work to trigger/test the original AWS rule. Unfortunately, it's still not triggering the custom rule. I've tried using data.Geolocation.country_name and Geolocation.country_name in local rules. Would it not be just GeoLocation.country_name as that field is not nested under data in the document JSON?
What would be the best way to test if the GeoLocation is actually being processed by my alerts? I know that I've built wazuh-manager correctly because there are no errors even though I have <usegeoip> and <geoipdb> in my ossec.conf. On the documents inside of Wazuh i'm still just seeing rule 80253 being triggered.
Below i'll put the logtest output and also part of my ossec.conf:
<ossec_config>
<global>
<geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<use_geoip>yes</use_geoip>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<global>
<geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>wa...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<alerts>
<use_geoip>yes</use_geoip>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
And the logcheck output:
Trying rule: 80200 - AWS alert.
*Rule 80200 matched
*Trying child rules
Trying rule: 80300 - AWS GuardDuty alert.
Trying rule: 80325 - AWS ALB alert.
Trying rule: 80350 - AWS Macie alert.
Trying rule: 80360 - AWS S3 access log events group.
Trying rule: 80400 - AWS VPC flow alert.
Trying rule: 80440 - AWS WAF alert.
Trying rule: 80450 - AWS config alert.
Trying rule: 80480 - AWS trusted advisor alert.
Trying rule: 80490 - AWS KMS alert.
Trying rule: 80495 - AWS inspector - network assessment [$(aws.createdAt)]: $(aws.title) [$(aws.severity)].
Trying rule: 80202 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName).
*Rule 80202 matched
*Trying child rules
Trying rule: 80203 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName). Error: $(aws.errorCode).
Trying rule: 80251 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName).
Trying rule: 80253 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - User login success.
*Rule 80253 matched
*Trying child rules
Trying rule: 100002 - AWS signin from the United Kingdom detected.
Trying rule: 80254 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - User login failed.
**Phase 3: Completed filtering (rules).
id: '80253'
level: '3'
description: 'AWS Cloudtrail: signin.amazonaws.com - ConsoleLogin - User login success.'
groups: '['amazon', 'aws', 'authentication_success', 'aws_cloudtrail']'
firedtimes: '1'
gdpr: '['IV_32.2']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1078']'
mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']'
mitre.technique: '['Valid Accounts']'
nist_800_53: '['AC.7', 'AU.14']'
pci_dss: '['10.2.5']'
tsc: '['CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
*Rule 80200 matched
*Trying child rules
Trying rule: 80300 - AWS GuardDuty alert.
Trying rule: 80325 - AWS ALB alert.
Trying rule: 80350 - AWS Macie alert.
Trying rule: 80360 - AWS S3 access log events group.
Trying rule: 80400 - AWS VPC flow alert.
Trying rule: 80440 - AWS WAF alert.
Trying rule: 80450 - AWS config alert.
Trying rule: 80480 - AWS trusted advisor alert.
Trying rule: 80490 - AWS KMS alert.
Trying rule: 80495 - AWS inspector - network assessment [$(aws.createdAt)]: $(aws.title) [$(aws.severity)].
Trying rule: 80202 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName).
*Rule 80202 matched
*Trying child rules
Trying rule: 80203 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName). Error: $(aws.errorCode).
Trying rule: 80251 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName).
Trying rule: 80253 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - User login success.
*Rule 80253 matched
*Trying child rules
Trying rule: 100002 - AWS signin from the United Kingdom detected.
Trying rule: 80254 - AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName) - User login failed.
**Phase 3: Completed filtering (rules).
id: '80253'
level: '3'
description: 'AWS Cloudtrail: signin.amazonaws.com - ConsoleLogin - User login success.'
groups: '['amazon', 'aws', 'authentication_success', 'aws_cloudtrail']'
firedtimes: '1'
gdpr: '['IV_32.2']'
hipaa: '['164.312.b']'
mail: 'False'
mitre.id: '['T1078']'
mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']'
mitre.technique: '['Valid Accounts']'
nist_800_53: '['AC.7', 'AU.14']'
pci_dss: '['10.2.5']'
tsc: '['CC6.8', 'CC7.2', 'CC7.3']'
**Alert to be generated.
Billy Gigurtsis
Sep 7, 2023, 7:39:27 AM9/7/23
to Wazuh | Mailing List
One thing I've noticed is that in the original Github issue that details how to use GeoIP alerts the GeoIP field seems to be different. The documents JSON that i'm seeing in the Wazuh dashboard seems to still have the original GeoLocation although i'm not 100% sure if it would be changed:
**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'root'
srcip: '2.136.147.146'
srcgeoip: 'ES / Catalonia' <----------- Wazuh GeoIP DB field
srcport: '1055'
**Phase 3: Completed filtering (rules).
Rule id: '100011'
Level: '15'
Description: 'Log attempt from ES / Catalonia'
**Alert to be generated.
Again i'm not really sure if this is relevant, we could be doing it the correct way, it's just something I noticed.
Nicolas Stefani
Sep 12, 2023, 3:26:00 PM9/12/23
to Billy Gigurtsis, Wazuh | Mailing List
Hi Billy,
Sorry for the late reply. I'll be sharing this case with the team to get more insights about it. I'll be back ASAP with an answer.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e66f835c-9308-477d-a549-01bc1520fb43n%40googlegroups.com.
Nicolas Stefani
Sep 18, 2023, 3:00:14 PM9/18/23
to Billy Gigurtsis, Wazuh | Mailing List
Hi Billy,
Here you can find more updated steps to enable the GEOIP. I think you have all the steps checked, but just in case.
I you try the log test with May 1 16:17:43 owl sshd[9024]: Accepted publickey for root from 200.16.16.1 port 37384 ssh2, you got the srcgeoip field in the output of phase 2?
This is the field that we need to use to build a new rule. In your case, something like:
<group name="custom_cloudtrail,">
<rule id="100002" level="5">
<if_sid>80253</if_sid>
<srcgeoip>United Kingdom</srcgeoip>
<description>AWS signin from the United Kingdom detected.</description>
</rule>
</group>
Reply all
Reply to author
Forward
0 new messages