Blog Categories Application Security Cloud Security Compliance Container Security & Orchestration DevSecOps General Professional Development SOC Threat Intel Threat Stack Uncategorized Subscribe Now x Subscribe to Our Blog! Threat Stack 3 Min Read Additions to the Threat Stack AWS CloudTrail Ruleset Mike Broberg February 11, 2020 Net-new rules for Amazon ECR and AWS Systems Manager API activity At Threat Stack, we process tens of billions of events for customers each day. Insight into that amount of data gives us a unique perspective to identify meaningful trends in AWS service usage. Two such trends we’ve recently observed have been increased usage of Amazon Elastic Container Registry (ECR) and AWS Systems Manager. To ensure that our customers use these services securely, we have added default alerting rules for ECR and Systems Manager to Threat Stack. Let’s look at some of the new rules and their filters. Amazon ECR You all know what a container registry is, but what’s great about Amazon ECR is how integrated it is with Amazon Elastic Container Service (ECS). Of course Threat Stack already instruments ECS environments with granular detail from Amazon Linux 2 and Docker at runtime. Now, we can deliver more security observability into how static Docker images are sourced within ECR. Here’s what Threat Stack’s new CloudTrail ECR rules include out of the box: CloudTrail: ECR Create Repository (Sev 3) CloudTrail: ECR Delete Repository (Sev 3) CloudTrail: ECR Image Scan Findings – Severity HIGH (Sev 1) CloudTrail: ECR Image Scan Findings – Severity MEDIUM (Sev 2) CloudTrail: ECR Put Image (Sev 3) CloudTrail: ECR Put Image Scanning Configuration (Sev 3) CloudTrail: ECR Set Repository Policy (Sev 3) In particular, let’s look at the rule CloudTrail: ECR Image Scan Findings – Severity HIGH. Figure 1: Screenshot of Threat Stack Rules UI for CloudTrail: ECR The filter syntax here is the most interesting bit, so here’s a closer look: event_type = "cloudtrail" and eventSource = "ecr.amazonaws.com" and eventName = "DescribeImageScanFindings" and responseElements.imageScanFindings.findingSeverityCounts.HIGH > 0 Since the CloudTrail event JSON for the ECR image scan findings can potentially contain a long list of CVEs, we use the aggregated findingSeverityCounts object to take a quick look. From there, follow the AWS documentation to access the full findings from your scan, either through the Amazon ECR console or via the AWS CLI. Threat Stack’s goal is to alert you as quickly as possible. But feel free to modify the severity settings, and to customize the rule filter. (For more on the Threat Stack query language used above, see our docs.) AWS Systems Manager AWS Systems Manager is a powerful automation tool with a wide range of features. Two of those features — AWS Systems Manager Session Manager and AWS Systems Manager Run Command — are particularly interesting for auditing purposes. Figure 2: Screenshot of Threat Stack Rules UI for CloudTrail: SSM Here’s what Threat Stack’s new CloudTrail Systems Manager rules include out of the box: CloudTrail: SSM Cancel Command (Sev 3) CloudTrail: SSM Create Component (Sev 3) CloudTrail: SSM Delete Component (Sev 3) CloudTrail: SSM Information Discovery (Sev 3) CloudTrail: SSM Resume Session (Sev 3) CloudTrail: SSM Send Command (Sev 3) CloudTrail: SSM Session Terminated (Sev 3) CloudTrail: SSM Start Automation Execution (Sev 3) CloudTrail: SSM Start Session (Sev 3) With Sev 3 defaults across the board, we anticipate that these alerts will be used mostly for auditing purposes — but they can always be tuned to best suit your needs. Let’s look at the filter syntax for CloudTrail: SSM Information Discovery: event_type = "cloudtrail" and eventSource = "ssm.amazonaws.com" and (eventName starts_with "Describe" or eventName starts_with "List") While it’s relatively straightforward, it’s a nice example of the starts_with operator that’s supported in Threat Stack’s query language. Moving From Rules to Events Custom CloudTrail alerting is but one dimension of the rules you can create in Threat Stack. And once these rules fire, you’ll probably want to dig into the underlying events if you need to conduct an investigation. Check out this investigation of Docker cryptojacking, where we go step-by-step through an alert and its associated events. And look for more investigations as conducted by Threat Stack Cloud SecOps Program℠ analysts coming to this space soon! Tags:Amazon ECRAWS Systems ManagerThreat Stack rules You Might Also Like... Leveraging Threat Stack’s Out-of-the-Box Rulesets and Single View for Managing Multiple AWS Accounts Threat Stack Announces New and Enhanced CloudTrail Rules Creating Custom CloudTrail Rules in Threat Stack Working With Threat Stack Sample Compliance Rule Sets About Mike Broberg Mike is a Product Marketing Manager at Threat Stack. Before joining Threat Stack, he worked in developer relations for IBM Cloud and on product marketing for NoSQL database service Cloudant. He has a background in public relations and programming, including Java and JavaScript. View more posts by Mike Broberg Request a Demo Share this Blog