Mozilla Security Cloudtrail notifications

Analyze messages that are sent from AWS Cloudtrail and provide alerting notifications on configured event matchers.

This sandbox expects raw Cloudtrail "Records", as sent from cloudtrail-streamer (https://github.com/mozilla-services/cloudtrail-streamer) or similar.

Event field matchers are processed using lpeg.re (http://www.inf.puc-rio.br/~roberto/lpeg/re.html).

If enable_metrics is true, the module will submit metrics events for collection by the metrics output sandbox. Ensure process_message_inject_limit is set appropriately, as if enabled process_event will submit up to 2 messages (the alert, and the metric event).

1. Sample Configuration

filename = "moz_security_cloudtrail.lua"
message_matcher = "Type == 'logging.cloudtrail.lambda.cloudtrail.logs'"
ticker_interval = 0
process_message_inject_limit = 1

-- cloudtrail events to alert on (required)
events = {
    {
        description = "mfa disabled",
        resource = "requestParameters.userName",
        fields = {
            { "eventName", "'DeleteVirtualMFADevice' !." },
        }
    },
    {
        description = "mfa disabled",
        resource = "requestParameters.userName",
        fields = {
            { "eventName", "'DeactivateMFADevice' !." },
        }
    },
    {
        description = "access key created",
        resource = "requestParameters.userName",
        fields = {
            { "eventName", "'CreateAccessKey' !." }
        }
    },
    {
        description = "IAM action in production account from console without mfa",
        fields = {
            { "eventSource", "'iam.amazonaws.com' !." },
            { "recipientAccountId", "('1122334455' / '1234567890') !." },
            { "userIdentity.invokedBy", "'signin.amazonaws.com' !." },
            { "userIdentity.sessionContext.attributes.mfaAuthenticated", "!('true' !.)" }
        }
    }
}

-- mapping of aws account ids to human-friendly names (optional)
aws_account_mapping = {
    ["5555555555"] = "dev",
    ["1234567890"] = "prod",
    ["1122334455"] = "prod2"
}

-- module makes use of alert output and needs a valid alert configuration
alert = {
    modules = { }
}

-- enable_metrics = false -- optional, if true enable secmetrics submission

source code: moz_security_cloudtrail.lua

results matching ""

    No results matching ""