Unable to get lambda function cloudtrail events on wazuh
76 views
Skip to first unread message
digite amazon
Aug 24, 2023, 6:52:16 AM8/24/23
to Wazuh | Mailing List
Hi,
I have enabled cloudtrail logs on wazuh and able the logs in events section. However, wazuh is not providing the events for Lambda function(eg: Delete function, Create function etc.). I looked up for a solution for this on the chat group and found a workaround.
Sample logs:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDxxxxxxxxxxxxxxxxx",
"arn": "arn:aws:iam::2542xxxxxxxxxxxxxxx",
"accountId": "254xxxxxxxxxxx",
"accessKeyId": "ASIxxxxxxxxxxxxxxxxx",
"userName": "riyxxxxxxxxxxxxxxx",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-13T05:11:38Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-13T05:59:03Z",
"eventSource": "lambda.amazonaws.com",
"eventName": "DeleteFunction2015xxxx",
"awsRegion": "eu-north-1",
"sourceIPAddress": "120.11.102.1",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"requestParameters": {
"functionName": "myfunction"
},
"responseElements": null,
"requestID": "ee8e5e7b-3ded-456d-bfc8zzzzzzzzzzz",
"eventID": "45bece99-d1800-4fe5-0000-5db6ecfiwiwjn5",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "254289409ww88w",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "lambda.eu-north-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
This is one example for delete function event (from the cloudtrail)
The following sample contains a rule for API calls and a child rule that includes the lambda function reference. I added this to the /var/ossec/etc/rules/local_rules.xml file:
<group name="amazon,aws,">
<rule id="80210" level="3">
<decoded_as>json</decoded_as>
<field name="eventType">AwsApiCall</field>
<options>no_full_log</options>
<description>AWS API Call: $(eventSource) - $(eventName).</description>
<group>aws_api_call,</group>
</rule>
<rule id="80211" level="3">
<if_sid>80210</if_sid>
<field name="requestParameters.functionName"></field>
<options>no_full_log</options>
<description>AWS Lambda Function $(requestParameters.functionName): $(eventSource) - $(eventName).</description>
<group>aws_api_call,aws_lambda_func,</group>
</rule>
</group>
I have added the above to the local_rules.xml file and restarted the manager. The rule is also reflecting in wazuh rules section but I am unable to get the logs in the events section. Please guide if I am missing something.
Sample logs:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDxxxxxxxxxxxxxxxxx",
"arn": "arn:aws:iam::2542xxxxxxxxxxxxxxx",
"accountId": "254xxxxxxxxxxx",
"accessKeyId": "ASIxxxxxxxxxxxxxxxxx",
"userName": "riyxxxxxxxxxxxxxxx",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-13T05:11:38Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-13T05:59:03Z",
"eventSource": "lambda.amazonaws.com",
"eventName": "DeleteFunction2015xxxx",
"awsRegion": "eu-north-1",
"sourceIPAddress": "120.11.102.1",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36",
"requestParameters": {
"functionName": "myfunction"
},
"responseElements": null,
"requestID": "ee8e5e7b-3ded-456d-bfc8zzzzzzzzzzz",
"eventID": "45bece99-d1800-4fe5-0000-5db6ecfiwiwjn5",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "254289409ww88w",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "lambda.eu-north-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
This is one example for delete function event (from the cloudtrail)
The following sample contains a rule for API calls and a child rule that includes the lambda function reference. I added this to the /var/ossec/etc/rules/local_rules.xml file:
<group name="amazon,aws,">
<rule id="80210" level="3">
<decoded_as>json</decoded_as>
<field name="eventType">AwsApiCall</field>
<options>no_full_log</options>
<description>AWS API Call: $(eventSource) - $(eventName).</description>
<group>aws_api_call,</group>
</rule>
<rule id="80211" level="3">
<if_sid>80210</if_sid>
<field name="requestParameters.functionName"></field>
<options>no_full_log</options>
<description>AWS Lambda Function $(requestParameters.functionName): $(eventSource) - $(eventName).</description>
<group>aws_api_call,aws_lambda_func,</group>
</rule>
</group>
I have added the above to the local_rules.xml file and restarted the manager. The rule is also reflecting in wazuh rules section but I am unable to get the logs in the events section. Please guide if I am missing something.
Kasim Mustapha
Aug 24, 2023, 7:37:23 AM8/24/23
to Wazuh | Mailing List
Hello digite amazon,
If you're not seeing the expected logs in the events section, there could be a few things to check:
1. Make sure that the AWS API call and AWS Lambda logs are being properly forwarded to your Wazuh manager. If the logs aren't reaching the Wazuh manager, the rules won't be triggered. You can enable and check the archive logs to verify this. Your rule indicates <decoded_as>json</decoded_as>. This suggests that the incoming logs are expected to be in JSON format. Make sure that the logs you're receiving are actually in JSON format, and that they are being decoded correctly by Wazuh. Incorrect decoding can result in log data being ignored.
https://documentation.wazuh.com/current/cloud-security/amazon/services/troubleshooting.html#checking-if-logs-are-being-processed
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html
2 The rules you've defined have a level attribute set to 3. This indicates that they are of severity level 3. Check your Wazuh configuration to ensure that this severity level is being monitored. If it's not configured to monitor level 3 events, you won't see the corresponding logs in the events section.
From what you've mentioned. I don't see anything wrong with it. I've also tried to replicate your issue.
If you're not seeing the expected logs in the events section, there could be a few things to check:
1. Make sure that the AWS API call and AWS Lambda logs are being properly forwarded to your Wazuh manager. If the logs aren't reaching the Wazuh manager, the rules won't be triggered. You can enable and check the archive logs to verify this. Your rule indicates <decoded_as>json</decoded_as>. This suggests that the incoming logs are expected to be in JSON format. Make sure that the logs you're receiving are actually in JSON format, and that they are being decoded correctly by Wazuh. Incorrect decoding can result in log data being ignored.
https://documentation.wazuh.com/current/cloud-security/amazon/services/troubleshooting.html#checking-if-logs-are-being-processed
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html
2 The rules you've defined have a level attribute set to 3. This indicates that they are of severity level 3. Check your Wazuh configuration to ensure that this severity level is being monitored. If it's not configured to monitor level 3 events, you won't see the corresponding logs in the events section.
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/alerts.html#log-alert-level
3. Look into the logs of your Wazuh manager for any error messages or warnings related to the processing of rules and logs. This can provide insights into what might be going wrong.
https://documentation.wazuh.com/current/cloud-security/amazon/services/troubleshooting.html
4. After making any changes to the rule configuration or the Wazuh setup, it's a good idea to restart the Wazuh manager and any relevant services to ensure the changes take effect.
I hope this helps. Let me know how it goes.
3. Look into the logs of your Wazuh manager for any error messages or warnings related to the processing of rules and logs. This can provide insights into what might be going wrong.
https://documentation.wazuh.com/current/cloud-security/amazon/services/troubleshooting.html
4. After making any changes to the rule configuration or the Wazuh setup, it's a good idea to restart the Wazuh manager and any relevant services to ensure the changes take effect.
I hope this helps. Let me know how it goes.
digite amazon
Aug 25, 2023, 5:31:29 AM8/25/23
to Wazuh | Mailing List
Hi Kasim,
I have tried the above 4 steps. Here are my findings.
1. All the lambda function cloudtrail events are forwarded to wazuh in JSON format.
2. I have verified the alert configuration, it is set to 3.
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>3</email_alert_level>
</alerts>
3. There were no error messages or warnings generated in the logs section. It did show that cloudtrail logs are fetched. (I am able to get rest of the cloudtrail event logs in the events section but not the lambda function cloudtrail events)
Aug 25, 2023 @ 14:57:49.000 wazuh-modulesd:aws-s3 INFO Fetching logs finished.
Aug 25, 2023 @ 14:57:48.000 wazuh-modulesd:aws-s3 INFO Starting fetching of logs.
Aug 25, 2023 @ 14:57:48.000 wazuh-modulesd:aws-s3 INFO Executing Bucket Analysis: (Bucket: aws-cloudtrail-logs-xxxxxxxx-3c98f26d, Type: cloudtrail, Profile: default)
Aug 25, 2023 @ 14:56:50.000 wazuh-modulesd:aws-s3 INFO Fetching logs finished.
Aug 25, 2023 @ 14:56:48.000 wazuh-modulesd:aws-s3 INFO Starting fetching of logs.
Aug 25, 2023 @ 14:56:48.000 wazuh-modulesd:aws-s3 INFO Executing Bucket Analysis: (Bucket: aws-cloudtrail-logs-xxxxxxxxx-3c98f26d, Type: cloudtrail, Profile: default)
4. I did restart the wazuh manager after configuration changes.
I am using AWS marketplace Wazuh AMI in AWS, I hope it does not differ in any manner.
Please help regarding this issue. Your help will be much appreciated.
digite amazon
Aug 29, 2023, 8:06:18 AM8/29/23
to Wazuh | Mailing List
Any update?
Reply all
Reply to author
Forward
0 new messages