Skip to content

aldosimon/cloudtrail-detection-engine

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
assets/img
assets/img
 
 
backup
backup
 
 
deploy/terraform
deploy/terraform
 
 
lambda
lambda
 
 
sigma
sigma
 
 
testing
testing
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

About

Detection and alert that uses cloudtrail, run in native aws using lambda.

Lambda send sns if there is a match for certain cloudtrail API call.

The goal is to detect CloudTrail API calls that are both high-impact and indicative of malicious activity by having a lambda that load from sigma signature.

I write about CTDE in my blog

Caveat

Care must be use to choose the sigma rule that is very high-impact but not noisy. Some sigma examples are included and sigma-stash repository. I also included ConsoleLogin as a test sigma.

Workflow

ctdr

Deploy

you can deploy using the provided terraform or by uploading the zipped lambda directory

Using IAC

  • prerequisite:
    • aws CLI is setup with the credentials
    • copy lambda directory to deploy/terraform/lambda -> this will be zipped and uploaded by the terraform
  • terraform init
  • terraform plan -> please recheck
  • terraform apply

Uploading zip

  • zip the lambda directory
  • upload zip package
  • set up variables:
    • correct role and permission
    • snsarn
    • bucket name for cloudtrail
    • bucket name for sigma

Todo list

  • create IAC to deploy
  • add more sigma examples
  • expand on sigma selection
  • format email alert
  • add threeshold feature to lambda
  • add correlation feature to lambda

References and Credits

About

aws native cloudtrail detection engine

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages