Decoding AWS CloudTrail with OSSEC

Presented By:Barry O Meara – Pre Sales Engineer EMEA

AGENDA:

• Why?• Enabling AWS CloudTrail• OSSEC AWS CloudTrail DECODER• How AlienVault USM decodes these

events • How to use your audit reports

Why? Scenario: Make an audit trailfollow the user:

• Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

• Implement automated audit trails for all system components to reconstruct the following events: • All actions taken by any individual with root or administrative privileges • Invalid logical access attempts • Use of identification and authentication mechanisms• Creation and deletion of system level objects

• User identification • Type of event • Date and time

./Time must be synchronized across all systems

./Success or failure indication • Origination of event • Identity or name of affected data, system component, or resource.

Stuff To Record:

Stuff to Decode – AWS Event Translation

EVENT AWS EVENT

EVENT VERSION "eventVersion":"1.02” – Very Important

EVENT ID "eventID":"7d4ad9fe-ce06-472a-b995-1685f1370a67"

EVENT TIME "eventTime":"2014-09-03T08:59:37Z",

USER ID u'147023721278’ parent "userIdentity":

EVENT "eventName":"GetTrailStatus"

USER AGENT "userAgent":"console.amazonaws.com",

SOURCE IP "sourceIPAddress":"62.77.185.113"

DEEP DIVE

Email: bomeara@alienvault.comSkype: bomeara-alienvault

Questions?