Detect an event based on string contents.

[Charles Rawls]

Gentlebeings:

I am sure this has been asked prior, but can not find an answer.

Situation:

I have a list of events like:

ApplySecurityGroupsToClientVpnTargetNetwork:ec2
AuthorizeSecurityGroupEgress:ec2
AuthorizeSecurityGroupIngress:ec2
CreateSecurityGroup:ec2
DeleteSecurityGroup:ec2
ModifySecurityGroupRules:ec2
RevokeSecurityGroupEgress:ec2
RevokeSecurityGroupIngress:ec2
UpdateSecurityGroupRuleDescriptionsEgress:ec2
UpdateSecurityGroupRuleDescriptionsIngress:ec2

I wish to raise an alarm if any of the above events are detected.  The rule would look similar to :  

<rule id="100093" level="11">

    <if_sid>100002</if_sid>
    <field name="aws.eventName">* SecurityGroup *</field>
    <options>no_full_log</options>
    <description>Account: $(aws.aws_account_id) $(aws.eventSource) - $(aws.eventName).</description>
  </rule>

Obviously this does not work, I suspect some form of regex in the field name verse, but cannot sort it out.

Any clues would be greatly appreciated; and thank you in advance.

[Jeremias Ignacio Posse]

Hi Charles Rawls! You're trying to create a rule in CloudWatch that triggers an alarm when specific events related to security groups are detected. Unfortunately, CloudWatch event pattern matching does not directly support regular expressions for field names. However, I can provide you with an alternative approach to achieving your goal.

1. **Exact Field Matching**:
   As you mentioned, the current rule you've defined doesn't work because it uses a wildcard (`*`) in the field name. Instead, you need to specify exact field names. For example, if you want to match events related to security groups, you can use the following:

    <rule id="100093" level="11">
        <if_sid>100002</if_sid>

        <field name="aws.eventName">AuthorizeSecurityGroupEgress</field>
        <field name="aws.eventName">AuthorizeSecurityGroupIngress</field>
        <!-- Add other relevant security group event names here -->

        <options>no_full_log</options>
        <description>Account: $(aws.aws_account_id) $(aws.eventSource) - $(aws.eventName).</description>
    </rule>

   Replace the comment with the actual event names you want to monitor.

2. **Prefix Matching (EventBridge)**:
   If you're using EventBridge (formerly CloudWatch Events), you can achieve a similar effect using prefix matching. For example:

    {
        "source": ["aws.ec2"],
        "detail-type": ["EC2 Security Group Event"],
        "detail": {
            "eventName": [
                { "prefix": "AuthorizeSecurityGroup" },
                { "prefix": "RevokeSecurityGroup" }
                /* Add other relevant prefixes here */
            ]
        }
    }

   Again, replace the comment with the appropriate prefixes.

3. **Numeric Matching (GuardDuty Example)**:
   You can use numeric matching expressions if you're dealing with numeric values (e.g., severity levels). For example:


    {
        "detail": {
            "severity": [
                { "numeric": [">", 0, "<=", 8.9] }
            ],
            "detail-type": ["GuardDuty Finding"],
            "source": ["aws.guardduty"]
        }
    }

   Modify this example to suit your specific use case.

Remember that CloudWatch event pattern matching is exact (character-by-character), and there's no direct support for regex. Choose the approach that best fits your requirements based on the available options. If you have any further questions, feel free to ask! 🚀

Also, let me share with you some useful links:
Regex in CloudWatch event pattern matching - Stack Overflow. https://stackoverflow.com/questions/54657189/regex-in-cloudwatch-event-pattern-matching.
Amazon Cloudwatch Logs Insights parse with regex. https://stackoverflow.com/questions/54920363/amazon-cloudwatch-logs-insights-parse-with-regex.


Thanks for using Wazuh! Greetings,
Jeremias.