<a href="https://colab.research.google.com/github/blacktalenthubs/Dynamic-Application-Security-Testing/blob/main/week4_5_practice_lab.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

### Week 4-5: Introduction and Threat Detection

#### Topics:
- Overview of AWS Security Services
- GuardDuty Overview
- Security Hub Overview
- Introduction to SIEM (Security Information and Event Management)

### Definitions and Use Cases:

1. **AWS GuardDuty**
   - **Definition**: AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
   - **Use Case**: GuardDuty analyzes data from AWS CloudTrail logs, VPC Flow Logs, and DNS logs to identify potential threats, such as compromised instances or unauthorized access attempts.

2. **AWS Security Hub**
   - **Definition**: AWS Security Hub provides a comprehensive view of your high-priority security alerts and compliance status across AWS accounts.
   - **Use Case**: Security Hub aggregates, organizes, and prioritizes security findings from various AWS services and third-party solutions, helping you monitor your security posture and compliance status in one place.

3. **SIEM (Security Information and Event Management)**
   - **Definition**: SIEM solutions provide real-time analysis of security alerts generated by network hardware and applications.
   - **Use Case**: SIEM solutions like Splunk and the ELK Stack collect, store, and analyze log data from various sources to detect, investigate, and respond to security incidents.

#### Tools and Setup:
- AWS GuardDuty
- AWS Security Hub
- SIEM solution (e.g., Splunk, ELK Stack)
- AWS Account setup
- SIEM setup for log ingestion

### Steps to Set Up and Practice

#### 1. AWS Account Setup
1. **Create an AWS Account**:
   - Visit the [AWS Management Console](https://aws.amazon.com/console/) and sign up for a new account if you don’t have one.
   - Follow the on-screen instructions to complete the registration process.
   - **Explanation**: Having an AWS account is essential to access and configure AWS services.

2. **Set Up IAM Users and Roles**:
   - Go to the IAM (Identity and Access Management) service in the AWS Management Console.
   - Create a new IAM user with programmatic and console access.
   - Assign the necessary permissions (e.g., AdministratorAccess) to the IAM user.
   - Create IAM roles for GuardDuty and Security Hub with appropriate permissions.
   - **Explanation**: IAM roles and users help manage permissions and access controls securely.

#### 2. AWS GuardDuty Setup
1. **Enable GuardDuty**:
   - Navigate to the GuardDuty service in the AWS Management Console.
   - Click on "Enable GuardDuty".
   - Choose the regions where you want GuardDuty to be enabled.
   - **Explanation**: Enabling GuardDuty allows it to start monitoring your AWS environment for threats.

2. **Configure GuardDuty**:
   - Go to the GuardDuty dashboard.
   - Set up data sources such as VPC Flow Logs, CloudTrail logs, and DNS logs.
   - Monitor the findings and alerts generated by GuardDuty.
   - **Explanation**: Configuring data sources ensures that GuardDuty has the necessary information to detect threats.

#### 3. AWS Security Hub Setup
1. **Enable Security Hub**:
   - Navigate to the Security Hub service in the AWS Management Console.
   - Click on "Enable Security Hub".
   - Follow the prompts to set up Security Hub.
   - **Explanation**: Security Hub needs to be enabled to start aggregating security findings from various sources.

2. **Integrate with Other AWS Services**:
   - Integrate Security Hub with GuardDuty, AWS Config, AWS CloudTrail, and other security services.
   - Go to the Security Hub settings and configure integrations and standards (e.g., CIS AWS Foundations Benchmark).
   - **Explanation**: Integrating with other services allows Security Hub to provide a comprehensive view of your security posture.

3. **Monitor Security Findings**:
   - Review the Security Hub dashboard to monitor security findings and compliance status.
   - Analyze findings and take corrective actions as necessary.
   - **Explanation**: Regularly reviewing findings helps in maintaining a secure and compliant AWS environment.

#### 4. SIEM Setup (Splunk or ELK Stack)
**For Splunk**:
1. **Download and Install Splunk**:
   - Download Splunk from the [Splunk website](https://www.splunk.com/en_us/download/splunk-enterprise.html).
   - Follow the installation instructions for your operating system.
   - **Explanation**: Splunk is a widely used SIEM tool for log management and analysis.

2. **Set Up Data Inputs for AWS Logs**:
   - Log in to the Splunk web interface.
   - Go to Settings > Data Inputs > Add New.
   - Set up data inputs for AWS CloudTrail, VPC Flow Logs, and GuardDuty logs.
   - Use the Splunk Add-on for AWS to simplify the integration.
   - **Explanation**: Configuring data inputs allows Splunk to ingest and analyze AWS logs.

3. **Create Dashboards and Alerts**:
   - Create dashboards in Splunk to visualize AWS security data.
   - Set up alerts for specific security events and thresholds.
   - **Explanation**: Dashboards and alerts help in monitoring and responding to security incidents.

**For ELK Stack (Elasticsearch, Logstash, Kibana)**:
1. **Install Elasticsearch, Logstash, and Kibana**:
   - Follow the installation instructions from the [Elastic website](https://www.elastic.co/start).
   - Install Elasticsearch, Logstash, and Kibana on your server or local machine.
   - **Explanation**: The ELK Stack is an open-source SIEM solution for log aggregation and analysis.

2. **Configure Logstash for AWS Logs**:
   - Set up Logstash to collect and process AWS logs.
   - Create a Logstash configuration file to specify input, filter, and output settings for AWS CloudTrail, VPC Flow Logs, and GuardDuty logs.
   - **Explanation**: Logstash processes and transforms the logs before storing them in Elasticsearch.

   Example Logstash Configuration:
   ```plaintext
   input {
     s3 {
       bucket => "your-aws-logs-bucket"
       access_key_id => "your-access-key-id"
       secret_access_key => "your-secret-access-key"
       region => "your-region"
     }
   }

   filter {
     json {
       source => "message"
     }
   }

   output {
     elasticsearch {
       hosts => ["localhost:9200"]
       index => "aws-logs-%{+YYYY.MM.dd}"
     }
   }
   ```

3. **Visualize Data in Kibana**:
   - Open the Kibana web interface.
   - Create index patterns to match the data indexed by Logstash.
   - Build dashboards in Kibana to visualize AWS security data.
   - Set up alerts and visualizations to monitor security events.
   - **Explanation**: Kibana allows you to visualize and interact with the data stored in Elasticsearch.

#### 5. Practical Exercises
1. **Exercise 1: Configure GuardDuty and Security Hub**
   - Set up GuardDuty and Security Hub in your AWS account.
   - Integrate GuardDuty findings into Security Hub.
   - Generate sample findings by simulating suspicious activity (e.g., SSH brute force attempts).
   - **Explanation**: Practicing the configuration and integration helps you understand the workflow and benefits of these services.

2. **Exercise 2: Integrate AWS Logs with SIEM**
   - Set up Splunk or ELK Stack to ingest AWS logs (CloudTrail, VPC Flow Logs, GuardDuty logs).
   - Create dashboards to visualize security events and findings.
   - Set up alerts for critical security events.
   - **Explanation**: Integration with SIEM tools enhances the monitoring and response capabilities by providing centralized log analysis.

3. **Exercise 3: Analyze Security Findings**
   - Review findings in Security Hub and your SIEM solution.
   - Investigate a sample finding and document the steps taken to analyze and respond to the security event.
   - **Explanation**: Analyzing findings and responding to them ensures that you can effectively manage and mitigate security threats.

### Outcomes:
- Understand the key AWS security services: GuardDuty and Security Hub.
- Learn how to set up and configure AWS GuardDuty and Security Hub.
- Gain experience integrating AWS security logs into a SIEM solution.
- Develop skills in monitoring and responding to security events using AWS and SIEM tools.