-
Notifications
You must be signed in to change notification settings - Fork 429
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloudtrail add origin and target #11245
base: main
Are you sure you want to change the base?
Conversation
241ed25
to
b5e160f
Compare
addField(target, "json.userIdentity.accountId"); | ||
|
||
} else if (eventName == "AttachUserPolicy") { | ||
addFields(target, new String[]{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tinnytintin10 For the AttachUserPolicy
event it was unclear what target should I use.
What happens is:
romulo
attached policy Audit
to user tinsae
.
The natural target would be tinsae
. But I wonder what to do with the Policy arn.
Wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should capture both the user and the policy as targets for now since they are both key pieces of information. If we only capture the user, the analyst would need to look through the event details (in nested fields) to identify the attached policy, and if we only capture the policy, they'd have to do the same to identify the affected user. Capturing both makes it easier to understand the full context of the event.
When looking at the sample/test log for this event, i noticed that while we get the arn for the policy, we only get the username of the iam user involved (test-cloudtrail
). I suggest templatizing the creation of an ARN for the user and using this arn value in as one of the target ids:
arn:aws:iam::{accountId}:user/{userName}
Using the ARN helps indicate that it's an IAM user, similar to how the ARN for the policy inherently clarifies that it's a policy. This approach should make it more apparent in the data (target.id's value) what each entity is. Then, in the user.target.*
ECS fields, we can capture both the arn/id and name (user.target.name
, user.target.id
). wdyt?
That being said, even if we decide not to go down the route of templatizing the creation of the arn and just use the userName as the tatget.id, let's ensure the target username value is captured under user.target.name
too.
@terrancedejesus @imays11 @shashank-elastic would love to hear what you think for the case above
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another approach here could be to follow how the target field is used in existing ECS fields like user. For example:
Currently in ECS, if we wanted to normalize an IAM-related event where a user (tin) is added to a group (test-group) by user romulo, we would represent it like this (see the ECS documentation for reference):
{
"user": {
"name": "romulo",
"target": {
"name": "tin",
"group": { "name": "test-group" }
}
}
}
A few points to note here:
- The target field nested under user inherits the user.* fieldset.
- The group field nested under user.target is a standalone ECS fieldset used to normalize “group” entities (e.g., IAM groups), which can be nested under the user.* fieldset.
Applying a similar approach to our scenario—where IAM user romulo (actor) attached the IAM policy Audit to IAM user tin (target)—we could represent the actors and target like this:
{
"actor": {
"entity": {
"id": "arn:aws:iam::123456789012:user/romulo"
}
},
"target": {
"entity": {
"id": "arn:aws:iam::123456789012:user/tin",
"target": {
"id": "arn:aws:iam::aws:policy/SecurityAudit"
}
}
}
}
Since this event only has one actor and one target, we could also add more metadata to the entity fields to help with rendering the nodes in the graph visualization (cc @kfirpeled):
{
"actor": {
"entity": {
"id": "arn:aws:iam::123456789012:user/romulo",
"type": "AWS IAM User"
}
},
"target": {
"entity": {
"id": "arn:aws:iam::123456789012:user/tin",
"type": "AWS IAM User",
"target": {
"id": "arn:aws:iam::aws:policy/SecurityAudit",
"type": "AWS IAM Policy"
}
}
}
}
From a design perspective (cc @codearos), this could look something like:
@romulets, what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding the templatizing the ARN field, this should be covered by https://github.com/elastic/security-team/issues/10650. Therefore I suggest we focus this PR on what are we storing, and we take care of trying to have a few identifiers as ARN (like user). Why do I say a few? I don't think it's worth to normalize it for services that traditionally are not ARN first, like ec2. Of course this is up to discussion.
Regarding on how to represent the impacted entity, I believe having a target, inside a target, it's confusing.
What I suggest, then, is to have another field something like affectedEntity
or eventProduct
, eventMaterial
, or something like that - had not had a great idea for naming I believe.
Being the goal of that field to solely represent entities that weren't necessarily targeted, but were either used or changed as part of the event.
Something like:
{
"actor": {
"entity": {
"id": ["arn:aws:iam::123456789012:user/romulo"]
}
},
"target": {
"entity": {
"id": ["arn:aws:iam::123456789012:user/tin"]
}
},
"affected": {
"entity": {
"id": ["arn:aws:iam::aws:policy/SecurityAudit"]
}
}
}
What do you think?
ps: I intentionally kept the type out because we are not covering that on this PR.
ps2: Also intentionally made all values arrays because that's how we are going to store it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tinnytintin10 and I hoped in a call and came up with the following idea:
The attached policy is also a target, but it has a different relationship description. And that seems to be needed from a graph perspective only. So what we could do is leverage what @kfirpeled has proposed with AdditionInfo
and add a relationshipLabel field there.
e.g.:
{
"actor": {
"entity": {
"id": [
"arn:aws:iam::123456789012:user/romulo"
]
}
},
"target": {
"entity": {
"id": [
"arn:aws:iam::123456789012:user/tin",
"arn:aws:iam::aws:policy/SecurityAudit"
],
"additionalInfo": {
"arn:aws:iam::aws:policy/SecurityAudit": {
"relationshipLabel": "Attached User Policy"
},
"arn:aws:iam::123456789012:user/tin": {
"relationshipLabel": "Was attached"
}
}
}
}
}
Of course this can also be a applied to what @eyalkraft suggests on keeping all the metadata of entities inside another field called entities
. Once we decide where will we keep the entities metadata, then we can take a decision of where to keep this information. But the good news are is that it doesn't seem to be that much work on top of what we already have and have planned.
6cef63a
to
5d506d5
Compare
"100", | ||
"acl-0af9cb843511d66d4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tinnytintin10 I wonder what to do with delete network acl entry, because each entry doesn't have its own id - but has an acl + a manual rule number
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not entirely sure about this. ACL rule IDs are just numbers, in this case, 100
. These numbers aren't unique across ACLs. This means you can have acl-foo
and acl-bar
, both with a rule with the ID of 1. These rules aren't the same and probably allow or deny different types of traffic or network behavior in two different ACLs associated with different VPCs. With this in mind, just having 100
as the ID of the rule isn't ideal, especially once we begin graphing it.
We could:
- Prepend the rule ID with the
{acl-id} rule-id: {rule id}
and track two targets for this action. - Treat only the ACL as the main target and track the ACL rule as metadata or priorities about the ACL somewhere in
target.entity.*
I'm not sure what the right path is... Let me think more on this and get back to you tomorrow...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"sg-0f63fecfa17ef4fee", | ||
"sgr-027eb7c59241731e0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tinnytintin10 on AuthorizeSecurityGroupIngress
do we consider the security group as target or the underlying security group rule as target?
883391d
to
5c2dce2
Compare
"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", | ||
"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket-replication-2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On PutBucketReplication
we can have the bucket we are replicating from, the bucket we are replicating to and both. What is the best @tinnytintin10 ?
"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", | ||
"arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test.json" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On PutObject
we can have the bucket, the object, or both. What do you think @tinnytintin10 ?
011549d
to
94a4662
Compare
Also deleted unnecessary related info
54a33d7
to
b9e08ad
Compare
d445e1e
to
8f088ee
Compare
🚀 Benchmarks reportTo see the full report comment with |
Quality Gate failedFailed conditions See analysis details on SonarQube Catch issues before they fail your Quality Gate with our IDE extension SonarLint |
💚 Build Succeeded
History
|
"request_parameters": "{globalClusterIdentifier=myglobalcluster}", | ||
"response_elements": "{engineVersion=8.0.mysql_aurora.3.05.2, globalClusterResourceId=cluster-23a4c8770d2a9306, endpoint=myglobalcluster.global-gtoapfon2nyq.global.rds.amazonaws.com, globalClusterArn=arn:aws:rds::704479110758:global-cluster:myglobalcluster, engine=aurora-mysql, storageEncrypted=false, globalClusterIdentifier=myglobalcluster, status=available, deletionProtection=false}", | ||
"user_identity": { | ||
"access_key_id": "AKIA2IBR2EZTIIAMZZZL", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
"created": "2021-11-11T01:02:03.123456789Z", | ||
"id": "450f06c5-ece3-4b03-825e-b6791cbb71b8", | ||
"kind": "event", | ||
"original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDA2IBR2EZTJMPOR52WV\",\"arn\":\"arn:aws:iam::704479110758:user/[email protected]\",\"accountId\":\"704479110758\",\"accessKeyId\":\"AKIA2IBR2EZTIIAMZZZL\",\"userName\":\"[email protected]\"},\"eventTime\":\"2024-10-16T12:00:32Z\",\"eventSource\":\"rds.amazonaws.com\",\"eventName\":\"DeleteGlobalCluster\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c99460e1-506d-4019-a094-ff9ee18d57a2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-global-cluster\",\"requestParameters\":{\"globalClusterIdentifier\":\"myglobalcluster\"},\"responseElements\":{\"globalClusterIdentifier\":\"myglobalcluster\",\"globalClusterResourceId\":\"cluster-23a4c8770d2a9306\",\"globalClusterArn\":\"arn:aws:rds::704479110758:global-cluster:myglobalcluster\",\"status\":\"available\",\"engine\":\"aurora-mysql\",\"engineVersion\":\"8.0.mysql_aurora.3.05.2\",\"storageEncrypted\":false,\"deletionProtection\":false,\"globalClusterMembers\":[],\"endpoint\":\"myglobalcluster.global-gtoapfon2nyq.global.rds.amazonaws.com\",\"tagList\":[]},\"requestID\":\"0fa55398-832a-4b9a-ae59-42cd82ce9ddd\",\"eventID\":\"450f06c5-ece3-4b03-825e-b6791cbb71b8\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"704479110758\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\"}}", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
}, | ||
"related": { | ||
"entity": [ | ||
"AKIA2IBR2EZTIIAMZZZL", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
"request_id": "14743001-eef4-4746-b324-92b3d5f294f4", | ||
"request_parameters": "{scope=REGIONAL, name=TestWebAcl, lockToken=6d67ea01-9048-4ab5-addf-c5da40e9b182, id=a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5}", | ||
"user_identity": { | ||
"access_key_id": "ASIA2IBR2EZTBTFAHWHC", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
"created": "2021-11-11T01:02:03.123456789Z", | ||
"id": "630b00c0-475b-43e4-91d2-baec779aaf1d", | ||
"kind": "event", | ||
"original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::000000000:user/[email protected]\",\"accountId\":\"000000000\",\"accessKeyId\":\"ASIA2IBR2EZTBTFAHWHC\",\"userName\":\"[email protected]\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2024-10-16T09:52:01Z\",\"mfaAuthenticated\":\"false\"}}},\"eventTime\":\"2024-10-16T12:29:24Z\",\"eventSource\":\"wafv2.amazonaws.com\",\"eventName\":\"DeleteWebACL\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36\",\"requestParameters\":{\"name\":\"TestWebAcl\",\"scope\":\"REGIONAL\",\"id\":\"a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5\",\"lockToken\":\"6d67ea01-9048-4ab5-addf-c5da40e9b182\"},\"responseElements\":null,\"requestID\":\"14743001-eef4-4746-b324-92b3d5f294f4\",\"eventID\":\"630b00c0-475b-43e4-91d2-baec779aaf1d\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"apiVersion\":\"2019-04-23\",\"recipientAccountId\":\"000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"wafv2.us-east-1.amazonaws.com\"},\"sessionCredentialFromConsole\":\"true\"}", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
"a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5", | ||
"[email protected]", | ||
"arn:aws:iam::000000000:user/[email protected]", | ||
"ASIA2IBR2EZTBTFAHWHC" |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
WIP