Cloudtrail add origin and target #11245
Conversation
romulets
force-pushed
the
cloudtrail-add-origin-and-target
branch
from
241ed25
to
b5e160f
Compare
| addField(target, "json.userIdentity.accountId"); | ||
|
|
||
| } else if (eventName == "AttachUserPolicy") { | ||
| addFields(target, new String[]{ |
There was a problem hiding this comment.
@tinnytintin10 For the AttachUserPolicy event it was unclear what target should I use.
What happens is:
romulo attached policy Audit to user tinsae.
The natural target would be tinsae. But I wonder what to do with the Policy arn.
Wdyt?
There was a problem hiding this comment.
We should capture both the user and the policy as targets for now since they are both key pieces of information. If we only capture the user, the analyst would need to look through the event details (in nested fields) to identify the attached policy, and if we only capture the policy, they'd have to do the same to identify the affected user. Capturing both makes it easier to understand the full context of the event.
When looking at the sample/test log for this event, i noticed that while we get the arn for the policy, we only get the username of the iam user involved (test-cloudtrail). I suggest templatizing the creation of an ARN for the user and using this arn value in as one of the target ids:
arn:aws:iam::{accountId}:user/{userName}
Using the ARN helps indicate that it's an IAM user, similar to how the ARN for the policy inherently clarifies that it's a policy. This approach should make it more apparent in the data (target.id's value) what each entity is. Then, in the user.target.* ECS fields, we can capture both the arn/id and name (user.target.name, user.target.id). wdyt?
That being said, even if we decide not to go down the route of templatizing the creation of the arn and just use the userName as the tatget.id, let's ensure the target username value is captured under user.target.name too.
@terrancedejesus @imays11 @shashank-elastic would love to hear what you think for the case above
There was a problem hiding this comment.
Another approach here could be to follow how the target field is used in existing ECS fields like user. For example:
Currently in ECS, if we wanted to normalize an IAM-related event where a user (tin) is added to a group (test-group) by user romulo, we would represent it like this (see the ECS documentation for reference):
{
"user": {
"name": "romulo",
"target": {
"name": "tin",
"group": { "name": "test-group" }
}
}
}A few points to note here:
- The target field nested under user inherits the user.* fieldset.
- The group field nested under user.target is a standalone ECS fieldset used to normalize “group” entities (e.g., IAM groups), which can be nested under the user.* fieldset.
Applying a similar approach to our scenario—where IAM user romulo (actor) attached the IAM policy Audit to IAM user tin (target)—we could represent the actors and target like this:
{
"actor": {
"entity": {
"id": "arn:aws:iam::123456789012:user/romulo"
}
},
"target": {
"entity": {
"id": "arn:aws:iam::123456789012:user/tin",
"target": {
"id": "arn:aws:iam::aws:policy/SecurityAudit"
}
}
}
}Since this event only has one actor and one target, we could also add more metadata to the entity fields to help with rendering the nodes in the graph visualization (cc @kfirpeled):
{
"actor": {
"entity": {
"id": "arn:aws:iam::123456789012:user/romulo",
"type": "AWS IAM User"
}
},
"target": {
"entity": {
"id": "arn:aws:iam::123456789012:user/tin",
"type": "AWS IAM User",
"target": {
"id": "arn:aws:iam::aws:policy/SecurityAudit",
"type": "AWS IAM Policy"
}
}
}
}From a design perspective (cc @codearos), this could look something like:
@romulets, what do you think?
There was a problem hiding this comment.
Regarding the templatizing the ARN field, this should be covered by https://github.com/elastic/security-team/issues/10650. Therefore I suggest we focus this PR on what are we storing, and we take care of trying to have a few identifiers as ARN (like user). Why do I say a few? I don't think it's worth to normalize it for services that traditionally are not ARN first, like ec2. Of course this is up to discussion.
Regarding on how to represent the impacted entity, I believe having a target, inside a target, it's confusing.
What I suggest, then, is to have another field something like affectedEntity or eventProduct, eventMaterial, or something like that - had not had a great idea for naming I believe.
Being the goal of that field to solely represent entities that weren't necessarily targeted, but were either used or changed as part of the event.
Something like:
{
"actor": {
"entity": {
"id": ["arn:aws:iam::123456789012:user/romulo"]
}
},
"target": {
"entity": {
"id": ["arn:aws:iam::123456789012:user/tin"]
}
},
"affected": {
"entity": {
"id": ["arn:aws:iam::aws:policy/SecurityAudit"]
}
}
}What do you think?
ps: I intentionally kept the type out because we are not covering that on this PR.
ps2: Also intentionally made all values arrays because that's how we are going to store it
There was a problem hiding this comment.
@tinnytintin10 and I hoped in a call and came up with the following idea:
The attached policy is also a target, but it has a different relationship description. And that seems to be needed from a graph perspective only. So what we could do is leverage what @kfirpeled has proposed with AdditionInfo and add a relationshipLabel field there.
e.g.:
{
"actor": {
"entity": {
"id": [
"arn:aws:iam::123456789012:user/romulo"
]
}
},
"target": {
"entity": {
"id": [
"arn:aws:iam::123456789012:user/tin",
"arn:aws:iam::aws:policy/SecurityAudit"
],
"additionalInfo": {
"arn:aws:iam::aws:policy/SecurityAudit": {
"relationshipLabel": "Attached User Policy"
},
"arn:aws:iam::123456789012:user/tin": {
"relationshipLabel": "Was attached"
}
}
}
}
}Of course this can also be a applied to what @eyalkraft suggests on keeping all the metadata of entities inside another field called entities. Once we decide where will we keep the entities metadata, then we can take a decision of where to keep this information. But the good news are is that it doesn't seem to be that much work on top of what we already have and have planned.
romulets
force-pushed
the
cloudtrail-add-origin-and-target
branch
3 times, most recently
from
6cef63a
to
5d506d5
Compare
| "100", | ||
| "acl-0af9cb843511d66d4" |
There was a problem hiding this comment.
@tinnytintin10 I wonder what to do with delete network acl entry, because each entry doesn't have its own id - but has an acl + a manual rule number
There was a problem hiding this comment.
I'm not entirely sure about this. ACL rule IDs are just numbers, in this case, 100. These numbers aren't unique across ACLs. This means you can have acl-foo and acl-bar, both with a rule with the ID of 1. These rules aren't the same and probably allow or deny different types of traffic or network behavior in two different ACLs associated with different VPCs. With this in mind, just having 100 as the ID of the rule isn't ideal, especially once we begin graphing it.
We could:
- Prepend the rule ID with the
{acl-id} rule-id: {rule id}and track two targets for this action. - Treat only the ACL as the main target and track the ACL rule as metadata or priorities about the ACL somewhere in
target.entity.*
I'm not sure what the right path is... Let me think more on this and get back to you tomorrow...
There was a problem hiding this comment.
| "sg-0f63fecfa17ef4fee", | ||
| "sgr-027eb7c59241731e0" |
There was a problem hiding this comment.
@tinnytintin10 on AuthorizeSecurityGroupIngress do we consider the security group as target or the underlying security group rule as target?
romulets
force-pushed
the
cloudtrail-add-origin-and-target
branch
from
883391d
to
5c2dce2
Compare
| "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", | ||
| "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket-replication-2" |
There was a problem hiding this comment.
On PutBucketReplication we can have the bucket we are replicating from, the bucket we are replicating to and both. What is the best @tinnytintin10 ?
| "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket", | ||
| "arn:aws:s3:::elastic-cspm-cloudtrail-test-bucket/test.json" |
There was a problem hiding this comment.
On PutObject we can have the bucket, the object, or both. What do you think @tinnytintin10 ?
romulets
force-pushed
the
cloudtrail-add-origin-and-target
branch
from
011549d
to
94a4662
Compare
Also deleted unnecessary related info
romulets
force-pushed
the
cloudtrail-add-origin-and-target
branch
from
54a33d7
to
b9e08ad
Compare
romulets
force-pushed
the
cloudtrail-add-origin-and-target
branch
from
d445e1e
to
8f088ee
Compare
romulets
added
enhancement
🚀 Benchmarks reportTo see the full report comment with |
|
💚 Build Succeeded
History
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| "request_parameters": "{globalClusterIdentifier=myglobalcluster}", | ||
| "response_elements": "{engineVersion=8.0.mysql_aurora.3.05.2, globalClusterResourceId=cluster-23a4c8770d2a9306, endpoint=myglobalcluster.global-gtoapfon2nyq.global.rds.amazonaws.com, globalClusterArn=arn:aws:rds::704479110758:global-cluster:myglobalcluster, engine=aurora-mysql, storageEncrypted=false, globalClusterIdentifier=myglobalcluster, status=available, deletionProtection=false}", | ||
| "user_identity": { | ||
| "access_key_id": "AKIA2IBR2EZTIIAMZZZL", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
| "created": "2021-11-11T01:02:03.123456789Z", | ||
| "id": "450f06c5-ece3-4b03-825e-b6791cbb71b8", | ||
| "kind": "event", | ||
| "original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDA2IBR2EZTJMPOR52WV\",\"arn\":\"arn:aws:iam::704479110758:user/[email protected]\",\"accountId\":\"704479110758\",\"accessKeyId\":\"AKIA2IBR2EZTIIAMZZZL\",\"userName\":\"[email protected]\"},\"eventTime\":\"2024-10-16T12:00:32Z\",\"eventSource\":\"rds.amazonaws.com\",\"eventName\":\"DeleteGlobalCluster\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"aws-cli/2.17.60 md/awscrt#0.21.2 ua/2.0 os/macos#23.6.0 md/arch#x86_64 lang/python#3.12.6 md/pyimpl#CPython exec-env/grimoire_c99460e1-506d-4019-a094-ff9ee18d57a2 cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#rds.delete-global-cluster\",\"requestParameters\":{\"globalClusterIdentifier\":\"myglobalcluster\"},\"responseElements\":{\"globalClusterIdentifier\":\"myglobalcluster\",\"globalClusterResourceId\":\"cluster-23a4c8770d2a9306\",\"globalClusterArn\":\"arn:aws:rds::704479110758:global-cluster:myglobalcluster\",\"status\":\"available\",\"engine\":\"aurora-mysql\",\"engineVersion\":\"8.0.mysql_aurora.3.05.2\",\"storageEncrypted\":false,\"deletionProtection\":false,\"globalClusterMembers\":[],\"endpoint\":\"myglobalcluster.global-gtoapfon2nyq.global.rds.amazonaws.com\",\"tagList\":[]},\"requestID\":\"0fa55398-832a-4b9a-ae59-42cd82ce9ddd\",\"eventID\":\"450f06c5-ece3-4b03-825e-b6791cbb71b8\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"704479110758\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"rds.us-east-1.amazonaws.com\"}}", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
| }, | ||
| "related": { | ||
| "entity": [ | ||
| "AKIA2IBR2EZTIIAMZZZL", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
| "request_id": "14743001-eef4-4746-b324-92b3d5f294f4", | ||
| "request_parameters": "{scope=REGIONAL, name=TestWebAcl, lockToken=6d67ea01-9048-4ab5-addf-c5da40e9b182, id=a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5}", | ||
| "user_identity": { | ||
| "access_key_id": "ASIA2IBR2EZTBTFAHWHC", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
| "created": "2021-11-11T01:02:03.123456789Z", | ||
| "id": "630b00c0-475b-43e4-91d2-baec779aaf1d", | ||
| "kind": "event", | ||
| "original": "{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"PRINCIPALID\",\"arn\":\"arn:aws:iam::000000000:user/[email protected]\",\"accountId\":\"000000000\",\"accessKeyId\":\"ASIA2IBR2EZTBTFAHWHC\",\"userName\":\"[email protected]\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"creationDate\":\"2024-10-16T09:52:01Z\",\"mfaAuthenticated\":\"false\"}}},\"eventTime\":\"2024-10-16T12:29:24Z\",\"eventSource\":\"wafv2.amazonaws.com\",\"eventName\":\"DeleteWebACL\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"216.160.83.56\",\"userAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36\",\"requestParameters\":{\"name\":\"TestWebAcl\",\"scope\":\"REGIONAL\",\"id\":\"a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5\",\"lockToken\":\"6d67ea01-9048-4ab5-addf-c5da40e9b182\"},\"responseElements\":null,\"requestID\":\"14743001-eef4-4746-b324-92b3d5f294f4\",\"eventID\":\"630b00c0-475b-43e4-91d2-baec779aaf1d\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"apiVersion\":\"2019-04-23\",\"recipientAccountId\":\"000000000\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.3\",\"cipherSuite\":\"TLS_AES_128_GCM_SHA256\",\"clientProvidedHostHeader\":\"wafv2.us-east-1.amazonaws.com\"},\"sessionCredentialFromConsole\":\"true\"}", |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
| "a95cc6a5-b6e3-42d3-a3c0-992b2f8119d5", | ||
| "[email protected]", | ||
| "arn:aws:iam::000000000:user/[email protected]", | ||
| "ASIA2IBR2EZTBTFAHWHC" |
Check failure
Code scanning / SonarQube
Amazon Web Services credentials should not be disclosed High test
WIP