Transcript Decoding AWS CloudTrail with OSSEC

Decoding AWS CloudTrail
with OSSEC
Presented By:
Barry O Meara – Pre Sales Engineer EMEA
AGENDA:
•
•
•
•
Why?
Enabling AWS CloudTrail
OSSEC AWS CloudTrail DECODER
How AlienVault USM decodes these
events
• How to use your audit reports
Why? Scenario: Make an audit trail
follow the user:
•
•
Establish a process for linking all access to system components (especially
access done with administrative privileges such as root) to each individual
user.
Implement automated audit trails for all system components to reconstruct
the following events:
• All actions taken by any individual with root or administrative privileges
• Invalid logical access attempts
• Use of identification and authentication mechanisms
• Creation and deletion of system level objects
Stuff To Record:
• User identification
• Type of event
• Date and time
./Time must be synchronized across all systems
./Success or failure indication
• Origination of event
• Identity or name of affected data, system component, or resource.
Stuff to Decode – AWS Event Translation
EVENT
AWS EVENT
EVENT VERSION
"eventVersion":"1.02” – Very Important
EVENT ID
"eventID":"7d4ad9fe-ce06-472a-b9951685f1370a67"
EVENT TIME
"eventTime":"2014-09-03T08:59:37Z",
USER ID
u'147023721278’ parent "userIdentity":
EVENT
"eventName":"GetTrailStatus"
USER AGENT
"userAgent":"console.amazonaws.com",
SOURCE IP
"sourceIPAddress":"62.77.185.113"
DEEP DIVE
Questions?
Email: [email protected]
Skype: bomeara-alienvault