You might want to know what changes were made in your AWS cloud infrastructure when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
Knowing what modifications have been made to cloud infrastructure resources, when they were made, and who made them can help you identify or isolate the origin of a problem or incident. You need a search that shows what changes have been made to AWS resources.
NOTE: To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
sourcetype="aws:cloudtrail" status=success
|eval requestParameters=mvindex(split(mvindex(split(_raw, "\"requestParameters\":"),1),"\"responseElements\":"),0)
|table _time src requestParameters
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
sourcetype="aws:cloudtrail" |
Search only AWS CloudTrail data. |
status=success |
Filter the events to only include those with a status of success. |
|eval requestParameters=mvindex(split(mvindex(split(_raw, "\"requestParameters\":"),1),"\"responseElements\":"),0) |
Divide the full text into two parts using “requestParameters:” as the delimiter. Split the results of the first split using “responseElements:” as the delimiter. Take the first part of the split and save the extracted text into the requestParameters field. Note: The text of the event is a JSON document and the entire text is in the field _raw. |
|table _time src requestParameters |
Display the results in a table with columns in the order shown. |
Result
Sample results for this search are shown in the table below. The table shows the time of the event, the src or host the changes were made on, and all the request parameters extracted by the search. This is a way of gaining understanding of the activity taking place on your AWS cloud. For example, you can see that ipPermissions were changed for tcp port 22 on the 204.107.141.244 src (host).
_time |
src |
requestParameters |
2020-10-14T13:19:20.000+0000 |
204.107.141.244 |
{"ipPermissions": {"items": [{"ipProtocol": "tcp", "toPort": 22, "fromPort": 22, "prefixListIds": {}, "groups": {}, "ipRanges": {"items": [{"cidrIp": "0.0.0.0/0"}]}}]}, "groupId": "sg-f45e5591"}, "requestID": "e4c1d5ab-58da-4261-983c-091b31c9fa0a"} |
2020-10-14T13:11:41.000+0000 |
54.175.25 2.140 |
{"userName": "bitcoin_miner"}, "awsRegion": "us-east-1", "userIdentity": {"accountId": "063605715280", "userName": "george.nelson", "sessionContext": {"attributes": {"creationDate": "2014-05-02T23:09:55Z", "mfaAuthenticated": "false"}}, "accessKeyId": "B04M0NK3YN00DL3KR4ZY", "type": "IAMUser", "principalId": "AIDAJRC0ULS3NU43KZZEA", "arn": "arn:aws:iam::063605715280:user/george.nelson"}, "eventName": "DeleteUser", "eventVersion": "1.01", "userAgent": "AWSConsole", |
2020-10-14T13:11:21.000+0000 |
54.171.211.111 |
{"userName": "bitcoin_miner", "accessKeyId": "AKIAIVVLOMXHGFQUCTVA"}, "awsRegion": "us-east-1", "userIdentity": {"accountId": "063605715280", "userName": "kieffer", "sessionContext": {"attributes": {"creationDate": "2014-05-02T23:09:55Z", "mfaAuthenticated": "false"}}, "accessKeyId": "B04M0NK3YN00DL3KR4ZY", "type": "IAMUser", "principalId": "AIR0NM4NU5R6GQ5T4RKLW", "arn": "arn:aws:iam::063605715280:user/kieffer"}, "eventName": "DeleteAccessKey", "eventVersion": "1.01", "userAgent": "AWSConsole", |
2020-10-14T13:10:09.000+0000 |
54.171.211.111 |
{"userName": "bitcoin_miner", "accessKeyId": "AKIAIVVLOMXHGFQUCTVA"}, "awsRegion": "us-east-1", "userIdentity": {"accountId": "063605715280", "userName": "khungus", "sessionContext": {"attributes": {"creationDate": "2014-05-02T23:09:55Z", "mfaAuthenticated": "false"}}, "accessKeyId": "PU3RC0M4LN00DL3T1M3Z", "type": "IAMUser", "principalId": "AIR0NM4NU5R6GQ5T4RKLW", "arn": "arn:aws:iam::063605715280:user/khungus"}, "eventName": "DeleteAccessKey", "eventVersion": "1.01", "userAgent": "AWSConsole", |
2020-10-14T13:08:15.000+0000 |
204.107.141.244 |
{"vpcId": "vpc-d2d110ba", "groupName": "launch-wizard-5", "groupDescription": "launch-wizard-5 created 2016-01-27T11:12:38.947+08:00"}, "requestID": "af4a15b7-2c71-4eab-b09f-f8d9783cd21b"} |
2020-10-14T13:03:40.000+0000 |
204.107.141.244 |
{"vpcId": "vpc-d2d110ba", "groupName": "launch-wizard-5", "groupDescription": "launch-wizard-5 created 2016-01-27T11:12:38.947+08:00"}, "requestID": "af4a15b7-2c71-4eab-b09f-f8d9783cd21b"} |
You can update the table to show additional fields, such as the following:
|table _time eventName userIdentity.arn userIdentity.userName src requestParameters
Comments
0 comments
Please sign in to leave a comment.