You're reading from Cybersecurity – Attack and Defense Strategies, 3rd edition Improve your security posture to mitigate risks and prevent attackers from infiltrating your system

Product type Paperback

Published in Sep 2022

Publisher Packt

ISBN-13 9781803248776

Length 570 pages

Edition 3rd Edition

Tools

Metasploit

Concepts

Cybersecurity

Authors (2):

Dr. Erdal Ozkaya

Yuri Diogenes

View More author details

Table of Contents (20) Chapters

Preface

1. Security Posture

2. Incident Response Process FREE CHAPTER

3. What is a Cyber Strategy?

4. Understanding the Cybersecurity Kill Chain

5. Reconnaissance

6. Compromising the System

7. Chasing a User’s Identity

8. Lateral Movement

9. Privilege Escalation

10. Security Policy

11. Network Security

12. Active Sensors

13. Threat Intelligence

14. Investigating an Incident

15. Recovery Process

16. Vulnerability Management

17. Log Analysis

18. Other Books You May Enjoy

19. Index

Amazon Web Services (AWS) logs

When you have resources located on Amazon Web Services (AWS), and you need to audit the overall activity of the platform, you need to enable AWS CloudTrail. When you enable this feature, all activities that are occurring in your AWS account will be recorded in a CloudTrail event.

These events are searchable and are kept for 90 days in your AWS account. Here you have an example of a trail:

Graphical user interface, text Description automatically generated

Figure 17.3: Trails shown in AWS

If you click Event history, in the left navigation, you can see the list of events that were created. The list below has interesting events, including the deletion of a volume and the creation of a new role:

Table Description automatically generated

Figure 17.4: Event history in AWS

This is a comprehensive list of all events that were tracked. You can click on each one of those events to obtain more detailed information about it, as shown below:

Graphical user interface, text, application, website Description automatically generated

Figure 17.5: Specific event information when clicking on one of the events listed in AWS

If you want to see the raw JSON file, you can click on the View event button, and you will have access to it.

Accessing AWS logs from Microsoft Sentinel

If you are using Microsoft Sentinel as your SIEM platform, you can use the Amazon Web Services Data Connector available in Microsoft Sentinel to stream the following logs to the Microsoft Sentinel workspace:

Amazon Virtual Private Cloud (VPC) - VPC Flow Logs
Amazon GuardDuty - Findings
AWS CloudTrail - Management and data events

Once the connector is configured, it will show a status similar to the screenshot below:

Chart, line chart Description automatically generated

Figure 17.6: AWS connector status in Microsoft Sentinel

For more information on how to configure that, visit: https://docs.microsoft.com/en-us/azure/sentinel/connect-aws.

After finishing the configuration, you can start investigating your AWS CloudTrail log using Log Analytics KQL (Kusto Query Language). For example, the query below will list the user creation events summarized by region:

Graphical user interface, text, application, email Description automatically generated

Figure 17.7: KQL query retrieving data ingested from AWS CloudTrail events

When investigating AWS CloudTrail events, it is important to understand the different event types and what they represent. For a comprehensive list of events, visit https://cybersecurity.att.com/documentation/usm-anywhere/user-guide/events/cloudtrail-events-rules.htm.

The rest of the chapter is locked

You're reading from Cybersecurity – Attack and Defense Strategies, 3rd edition Improve your security posture to mitigate risks and prevent attackers from infiltrating your system

Table of Contents (20) Chapters

Amazon Web Services (AWS) logs

Accessing AWS logs from Microsoft Sentinel

Unlock this book and the full library FREE for 7 days

Authors (2)

Personalised recommendations for you