Integration Amazon CloudTrail with Wazuh.
209 views
Skip to first unread message
Javier Vivanco
Aug 24, 2018, 2:31:53 PM8/24/18
to Wazuh mailing list
Hello, everybody. How are you? I'm having a problem.
I don't know if it's a bug or an error in my configuration. I'm integrating Amazon CloudTrail with Wazuh.
My ossec.conf
ruleset/VERSION
lookup="match_key" etc/lists/amazon/aws-sources
# etc/lists/amazon/aws-sources
root@xxxxxxx:/var/ossec# grep -rn signin.amazonaws.com etc/lists/amazon/aws-sources
4:signin.amazonaws.com
----------------------------------------------------------------------------------------------------
lookup="match_key" etc/lists/amazon/aws-eventnames
root@xxxxxxx:/var/ossec# grep -rn ConsoleLogin etc/lists/amazon/aws-eventnames
12:ConsoleLogin:
-------------------------------------------------------------------------------------------------
# ruleset/rules/0350-amazon_rules.xml
I don't know if it's a bug or an error in my configuration. I'm integrating Amazon CloudTrail with Wazuh.
I don't see any alerts on kibana.
Wazuh Manager: 3.2.4-1
WazuhAPI 3.2.4-1
<wodle name="aws-cloudtrail">
<disabled>no</disabled>
<bucket>wazuhlog</bucket>
<access_key>-------------</access_key>
<secret_key>-------------</secret_key>
<remove_from_bucket>yes</remove_from_bucket>
<interval>15m</interval>
<run_on_start>yes</run_on_start>
</wodle>
<disabled>no</disabled>
<bucket>wazuhlog</bucket>
<access_key>-------------</access_key>
<secret_key>-------------</secret_key>
<remove_from_bucket>yes</remove_from_bucket>
<interval>15m</interval>
<run_on_start>yes</run_on_start>
</wodle>
logs/ossec.log
2018/08/24 17:41:25 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.
2018/08/24 17:56:21 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs started
2018/08/24 17:56:24 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.
2018/08/24 17:56:21 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs started
2018/08/24 17:56:24 wazuh-modulesd:aws-cloudtrail: INFO: Fetching logs finished.
ruleset/VERSION
RULESET_VERSION="v3.2.3"
REVISION="3230"
REVISION="3230"
root@XXXXX:/var/ossec# wodles/aws/aws.py -b wazuhlog -d
++ Found new log: 123456789_CloudTrail_us-east-1_--------_----.json.gz
root@XXXXX:/var/ossec# grep -rn ConsoleLogin logs/archives/archives.log | cut -c57- | jq# jq .aws.eventSource,.aws.eventName,.aws.errorCode
{
"aws": {
"eventVersion": "1.05",
"eventID": "a48ffa42-d17c-42ba-9888-xxxxxxxxxxxxxxxxx",
"eventTime": "2018-08-24T17:20:08Z",
"log_file": "12345678_CloudTrail_us-east-1_20180824T1725Z_Exxxxr.json.gz",
"additionalEventData": {
"MFAUsed": "No",
"LoginTo": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true",
"MobileVersion": "No"
},
"eventType": "AwsConsoleSignIn",
"errorMessage": "Failed authentication",
"responseElements": {
"ConsoleLogin": "Failure"
},
"awsRegion": "us-east-1",
"eventName": "ConsoleLogin",
"userIdentity": {
"userName": "123123123",
"accessKeyId": "",
"type": "IAMUser",
"principalId": "XXXXXXXXXXXXXXX",
"accountId": "12345678"
},
"eventSource": "signin.amazonaws.com",
"userAgent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0",
"sourceIPAddress": "1.1.11.1",
"recipientAccountId": "12345678"
},
"integration": "aws"
}
root@XXXXX:/var/ossec# grep -rn ConsoleLogin logs/archives/archives.log | grep Wazuh |cut -c57- | tail -n1 |jq .aws.eventSource,.aws.eventName,.aws.errorCode
"signin.amazonaws.com"
"ConsoleLogin"
-------------------------------------------------------------------------------------------------
# etc/lists/amazon/aws-sources
root@xxxxxxx:/var/ossec# grep -rn signin.amazonaws.com etc/lists/amazon/aws-sources
4:signin.amazonaws.com
----------------------------------------------------------------------------------------------------
lookup="match_key" etc/lists/amazon/aws-eventnames
root@xxxxxxx:/var/ossec# grep -rn ConsoleLogin etc/lists/amazon/aws-eventnames
12:ConsoleLogin:
-------------------------------------------------------------------------------------------------
# ruleset/rules/0350-amazon_rules.xml
<!-- Filter 1: Only AWS events -->
<rule id="80200" level="0">
<decoded_as>json</decoded_as>
<field name="aws.eventSource">\.+</field>
<description>Amazon alerts.</description>
</rule>
<!-- Filter 2: Only eventSource in etc/lists/amazon/aws-sources -->
<rule id="80201" level="0">
<if_sid>80200</if_sid>
<list field="aws.eventSource" lookup="match_key">etc/lists/amazon/aws-sources</list>
<description>Amazon: $(aws.eventSource).</description>
</rule>
<!-- Filter 3: Only eventName in etc/lists/amazon/aws-eventnames -->
<rule id="80202" level="3">
<if_sid>80201</if_sid>
<list field="aws.eventName" lookup="match_key">etc/lists/amazon/aws-eventnames</list>
<description>Amazon: $(aws.eventSource) - $(aws.eventName).</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>
<!-- If there is an error code: increase the level and change description -->
<rule id="80203" level="4">
<if_sid>80202</if_sid>
<field name="aws.errorCode">\.+</field>
<description>Amazon: $(aws.eventSource) - $(aws.eventName). Error: $(aws.errorCode).</description>
<group>pci_dss_10.6.1,amazon-error,gdpr_IV_35.7.d,</group>
</rule>
<rule id="80200" level="0">
<decoded_as>json</decoded_as>
<field name="aws.eventSource">\.+</field>
<description>Amazon alerts.</description>
</rule>
<!-- Filter 2: Only eventSource in etc/lists/amazon/aws-sources -->
<rule id="80201" level="0">
<if_sid>80200</if_sid>
<list field="aws.eventSource" lookup="match_key">etc/lists/amazon/aws-sources</list>
<description>Amazon: $(aws.eventSource).</description>
</rule>
<!-- Filter 3: Only eventName in etc/lists/amazon/aws-eventnames -->
<rule id="80202" level="3">
<if_sid>80201</if_sid>
<list field="aws.eventName" lookup="match_key">etc/lists/amazon/aws-eventnames</list>
<description>Amazon: $(aws.eventSource) - $(aws.eventName).</description>
<group>pci_dss_10.6.1,gdpr_IV_35.7.d,</group>
</rule>
<!-- If there is an error code: increase the level and change description -->
<rule id="80203" level="4">
<if_sid>80202</if_sid>
<field name="aws.errorCode">\.+</field>
<description>Amazon: $(aws.eventSource) - $(aws.eventName). Error: $(aws.errorCode).</description>
<group>pci_dss_10.6.1,amazon-error,gdpr_IV_35.7.d,</group>
</rule>
---------------------------------------------------------------
cat /usr/share/kibana/plugins/wazuh/package.json
{
"name": "wazuh",
"version": "3.2.3",
"revision": "0392",
"kibana": {
"version": "6.2.4"
},
"description": "Wazuh app",
"main": "index.js",
"keywords": [
"kibana",
"wazuh",
"ossec"
],
"author": "Wazuh, Inc",
"license": "GPL-2.0",
"repository": {
"type": "git",
"url": "https://github.com/wazuh/wazuh-kibana-app.git"
},
"bugs": {
"url": "https://github.com/wazuh/wazuh-kibana-app/issues"
},
"homepage": "https://www.wazuh.com/",
"dependencies": {
"angular-animate": "1.6.5",
"angular-aria": "1.6.5",
"angular-cookies": "1.6.5",
"angular-material": "1.1.1",
"angular-md5": "^0.1.10",
"ansicolors": "^0.3.2",
"dom-to-image": "^2.6.0",
"install": "^0.10.1",
"js-yaml": "3.10.0",
"json2csv": "^4.1.2",
"lodash": "3.10.1",
"needle": "^2.0.1",
"node-cron": "^1.1.2",
"pdfkit": "^0.8.3",
"timsort": "^0.3.0",
"winston": "3.0.0-rc1"
}
}
-----------------------------
"name": "wazuh",
"version": "3.2.3",
"revision": "0392",
"kibana": {
"version": "6.2.4"
},
"description": "Wazuh app",
"main": "index.js",
"keywords": [
"kibana",
"wazuh",
"ossec"
],
"author": "Wazuh, Inc",
"license": "GPL-2.0",
"repository": {
"type": "git",
"url": "https://github.com/wazuh/wazuh-kibana-app.git"
},
"bugs": {
"url": "https://github.com/wazuh/wazuh-kibana-app/issues"
},
"homepage": "https://www.wazuh.com/",
"dependencies": {
"angular-animate": "1.6.5",
"angular-aria": "1.6.5",
"angular-cookies": "1.6.5",
"angular-material": "1.1.1",
"angular-md5": "^0.1.10",
"ansicolors": "^0.3.2",
"dom-to-image": "^2.6.0",
"install": "^0.10.1",
"js-yaml": "3.10.0",
"json2csv": "^4.1.2",
"lodash": "3.10.1",
"needle": "^2.0.1",
"node-cron": "^1.1.2",
"pdfkit": "^0.8.3",
"timsort": "^0.3.0",
"winston": "3.0.0-rc1"
}
}
-----------------------------
Pedro Sánchez
Aug 24, 2018, 2:53:45 PM8/24/18
to javier12...@gmail.com, Wazuh mailing list
Hi Javier,
I have just installed a fresh 3.2.3 manager version in my environment to simulate your scenario.
Right after installation the manager I used the "ossec-logtest" tool with the sample AWS alert you pasted in your email.
It is matching for rule ID "80254" and looks correct.
Could you try to run ossec-logtest same way I did?
/var/ossec/bin/ossec-logtest
Paste the event
root@ubuntu-xenial:/home/vagrant# /var/ossec/bin/ossec-logtest
2018/08/24 18:48:37 ossec-testrule: INFO: Started (pid: 4282).
ossec-testrule: Type one log per line.
{"aws":{"eventVersion":"1.05","eventID":"a48ffa42-d17c-42ba-9888-xxxxxxxxxxxxxxxxx","eventTime":"2018-08-24T17:20:08Z","log_file":"12345678_CloudTrail_us-east-1_20180824T1725Z_Exxxxr.json.gz","additionalEventData":{"MFAUsed":"No","LoginTo":"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true","MobileVersion":"No"},"eventType":"AwsConsoleSignIn","errorMessage":"Failed authentication","responseElements":{"ConsoleLogin":"Failure"},"awsRegion":"us-east-1","eventName":"ConsoleLogin","userIdentity":{"userName":"123123123","accessKeyId":"","type":"IAMUser","principalId":"XXXXXXXXXXXXXXX","accountId":"12345678"},"eventSource":"signin.amazonaws.com","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0","sourceIPAddress":"1.1.11.1","recipientAccountId":"12345678"},"integration":"aws"}
**Phase 1: Completed pre-decoding.
full event: '{"aws":{"eventVersion":"1.05","eventID":"a48ffa42-d17c-42ba-9888-xxxxxxxxxxxxxxxxx","eventTime":"2018-08-24T17:20:08Z","log_file":"12345678_CloudTrail_us-east-1_20180824T1725Z_Exxxxr.json.gz","additionalEventData":{"MFAUsed":"No","LoginTo":"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true","MobileVersion":"No"},"eventType":"AwsConsoleSignIn","errorMessage":"Failed authentication","responseElements":{"ConsoleLogin":"Failure"},"awsRegion":"us-east-1","eventName":"ConsoleLogin","userIdentity":{"userName":"123123123","accessKeyId":"","type":"IAMUser","principalId":"XXXXXXXXXXXXXXX","accountId":"12345678"},"eventSource":"signin.amazonaws.com","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0","sourceIPAddress":"1.1.11.1","recipientAccountId":"12345678"},"integration":"aws"}'
timestamp: '(null)'
hostname: 'ubuntu-xenial'
program_name: '(null)'
log: '{"aws":{"eventVersion":"1.05","eventID":"a48ffa42-d17c-42ba-9888-xxxxxxxxxxxxxxxxx","eventTime":"2018-08-24T17:20:08Z","log_file":"12345678_CloudTrail_us-east-1_20180824T1725Z_Exxxxr.json.gz","additionalEventData":{"MFAUsed":"No","LoginTo":"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true","MobileVersion":"No"},"eventType":"AwsConsoleSignIn","errorMessage":"Failed authentication","responseElements":{"ConsoleLogin":"Failure"},"awsRegion":"us-east-1","eventName":"ConsoleLogin","userIdentity":{"userName":"123123123","accessKeyId":"","type":"IAMUser","principalId":"XXXXXXXXXXXXXXX","accountId":"12345678"},"eventSource":"signin.amazonaws.com","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0","sourceIPAddress":"1.1.11.1","recipientAccountId":"12345678"},"integration":"aws"}'
**Phase 2: Completed decoding.
decoder: 'json'
aws.eventVersion: '1.05'
aws.eventID: 'a48ffa42-d17c-42ba-9888-xxxxxxxxxxxxxxxxx'
aws.eventTime: '2018-08-24T17:20:08Z'
aws.log_file: '12345678_CloudTrail_us-east-1_20180824T1725Z_Exxxxr.json.gz'
aws.additionalEventData.MFAUsed: 'No'
aws.additionalEventData.LoginTo: 'https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true'
aws.additionalEventData.MobileVersion: 'No'
aws.eventType: 'AwsConsoleSignIn'
aws.errorMessage: 'Failed authentication'
aws.responseElements.ConsoleLogin: 'Failure'
aws.awsRegion: 'us-east-1'
aws.eventName: 'ConsoleLogin'
aws.userIdentity.userName: '123123123'
aws.userIdentity.accessKeyId: ''
aws.userIdentity.type: 'IAMUser'
aws.userIdentity.principalId: 'XXXXXXXXXXXXXXX'
aws.userIdentity.accountId: '12345678'
aws.eventSource: 'signin.amazonaws.com'
aws.userAgent: 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0'
aws.sourceIPAddress: '1.1.11.1'
aws.recipientAccountId: '12345678'
integration: 'aws'
**Phase 3: Completed filtering (rules).
Rule id: '80254'
Level: '5'
Description: 'Amazon: signin.amazonaws.com - ConsoleLogin - User Login failed.'
**Alert to be generated.
Could you try to search for this event in your Kibana interface? Try not to use "AWS" panel but rather go to standard Kibana "discover" panel and search for "aws".
Thanks for your detailed feedback, you gave us a lot of details, it is always appreciated.
Best regards,
Pedro 'snaow' Sanchez.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ab02bf6b-3042-4028-b916-440930e67192%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Javier Vivanco
Aug 24, 2018, 3:28:56 PM8/24/18
to pe...@wazuh.com, wa...@googlegroups.com
the configuration I have is the default of the installation
only reaches rule 80200 and does not continue
only reaches rule 80200 and does not continue
--------------------------------------
/var/ossec/bin/ossec-logtest
2018/08/24 19:25:58 ossec-testrule: INFO: Started (pid: 21821).ossec-testrule: Type one log per line.
{"aws":{"eventVersion":"1.05","eventID":"a48ffa42-d17c-42ba-9888-xxxxxxxxxxxxxxxxx","eventTime":"2018-08-24T17:20:08Z","log_file":"12345678_CloudTrail_us-east-1_20180824T1725Z_Exxxxr.json.gz","additionalEventData":{"MFAUsed":"No","LoginTo":"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true","MobileVersion":"No"},"eventType":"AwsConsoleSignIn","errorMessage":"Failed authentication","responseElements":{"ConsoleLogin":"Failure"},"awsRegion":"us-east-1","eventName":"ConsoleLogin","userIdentity":{"userName":"123123123","accessKeyId":"","type":"IAMUser","principalId":"XXXXXXXXXXXXXXX","accountId":"12345678"},"eventSource":"signin.amazonaws.com","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0","sourceIPAddress":"1.1.11.1","recipientAccountId":"12345678"},"integration":"aws"}
**Phase 1: Completed pre-decoding.
full event: '{"aws":{"eventVersion":"1.05","eventID":"a48ffa42-d17c-42ba-9888-xxxxxxxxxxxxxxxxx","eventTime":"2018-08-24T17:20:08Z","log_file":"12345678_CloudTrail_us-east-1_20180824T1725Z_Exxxxr.json.gz","additionalEventData":{"MFAUsed":"No","LoginTo":"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true","MobileVersion":"No"},"eventType":"AwsConsoleSignIn","errorMessage":"Failed authentication","responseElements":{"ConsoleLogin":"Failure"},"awsRegion":"us-east-1","eventName":"ConsoleLogin","userIdentity":{"userName":"123123123","accessKeyId":"","type":"IAMUser","principalId":"XXXXXXXXXXXXXXX","accountId":"12345678"},"eventSource":"signin.amazonaws.com","userAgent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0","sourceIPAddress":"1.1.11.1","recipientAccountId":"12345678"},"integration":"aws"}'
timestamp: '(null)'
hostname: 'ip-172-31-71-123'
Rule id: '80200'
Level: '0'
Description: 'Amazon alerts.'
Level: '0'
Description: 'Amazon alerts.'
Javier Vivanco
Aug 24, 2018, 5:16:44 PM8/24/18
to pe...@wazuh.com, wa...@googlegroups.com
I found the solution in this thread. increase the level of alert and it worked.
Thank you so much for your time, Pedro
Pedro Sánchez
Aug 27, 2018, 7:35:08 AM8/27/18
to Javier Vivanco, Wazuh mailing list
Hi Javier,
I am glad you found the solution.
I don´t know what the rule is not matching in your environment, I used the out of the box 3.2.3 version.
Let us know if you need more help with Amazon rules, we are really focused on improving Amazon integration (AWS infrastructure monitoring & AWS service data monitoring).
Best,
Pedro 'snaow' Sanchez.
Reply all
Reply to author
Forward
0 new messages