Upload
charity-wiggins
View
227
Download
6
Tags:
Embed Size (px)
Citation preview
Decoding AWS CloudTrail with OSSEC
Presented By:Barry O Meara – Pre Sales Engineer EMEA
AGENDA:
• Why?• Enabling AWS CloudTrail• OSSEC AWS CloudTrail DECODER• How AlienVault USM decodes these
events • How to use your audit reports
Why? Scenario: Make an audit trailfollow the user:
• Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
• Implement automated audit trails for all system components to reconstruct the following events: • All actions taken by any individual with root or administrative privileges • Invalid logical access attempts • Use of identification and authentication mechanisms• Creation and deletion of system level objects
• User identification • Type of event • Date and time
./Time must be synchronized across all systems
./Success or failure indication • Origination of event • Identity or name of affected data, system component, or resource.
Stuff To Record:
Stuff to Decode – AWS Event Translation
EVENT AWS EVENT
EVENT VERSION "eventVersion":"1.02” – Very Important
EVENT ID "eventID":"7d4ad9fe-ce06-472a-b995-1685f1370a67"
EVENT TIME "eventTime":"2014-09-03T08:59:37Z",
USER ID u'147023721278’ parent "userIdentity":
EVENT "eventName":"GetTrailStatus"
USER AGENT "userAgent":"console.amazonaws.com",
SOURCE IP "sourceIPAddress":"62.77.185.113"
DEEP DIVE
Email: [email protected]: bomeara-alienvault
Questions?