In [None]:
%pip install -r requirements.txt

In [1]:
import polars as pl
import pandas
import os, duckdb

# Data Definition Language

In [2]:
con = duckdb.connect('seclake_analysis.db')

In [9]:
con.sql("CREATE TABLE route53 as select * from parquet_scan('data/route53/*/*/*.gz.parquet', hive_partitioning=false)")

FloatProgress(value=0.0, layout=Layout(width='auto'), style=ProgressStyle(bar_color='black'))

In [10]:
con.sql("CREATE TABLE eks as select * from parquet_scan('data/eks/*/*/*.gz.parquet', hive_partitioning=false)")

FloatProgress(value=0.0, layout=Layout(width='auto'), style=ProgressStyle(bar_color='black'))

In [8]:
con.sql("CREATE TABLE sechub as select * from read_parquet('data/sechub/*/*/*.gz.parquet', hive_partitioning=false)")

In [7]:
con.sql("CREATE TABLE cloudtrail as select * from read_parquet('data/cloudtrail/*/*6*1*/*.gz.parquet', hive_partitioning=false)")

FloatProgress(value=0.0, layout=Layout(width='auto'), style=ProgressStyle(bar_color='black'))

In [None]:
con.sql("CREATE TABLE vpcflow as select * from read_parquet('data/vpcflow/*/*/*.gz.parquet', hive_partitioning=false)")

### helper table DDL

In [101]:
con.sql("create table aws_account_info as select * from read_csv('helper_tables/aws_account_information.csv')")

In [None]:
con.sql("create table kev as select * from read_csv('helper_tables/known_exploited_vulnerabilities.csv')")

In [3]:
con.sql("create table epss as select * from read_csv('https://epss.cyentia.com/epss_scores-current.csv.gz',  compression='gzip')")

HTTPException: HTTP Error: HTTP GET error on 'https://epss.cyentia.com/epss_scores-current.csv.gz' (HTTP 400)

# Creating helpful views

The Amazon SecurityHub integration with Security Lake streams ALL finding changes to our buckets. While this maybe helpful for certain analytics, often teams want to understand what the current state of SecurityHub is and its issues across accounts.

These can be replicated in AWS Athena: [AWS Athena User Guide - Working with views](https://docs.aws.amazon.com/athena/latest/ug/views.html)

### Creating a view of the current status of all SecurityHub findings based on the latest record per unique finding ID

```sql
    CREATE VIEW sechub_current as 
    SELECT sechub.* FROM sechub 
    JOIN (SELECT MAX(time_dt) AS latest, finding_info.uid FROM sechub GROUP BY finding_info.uid) latest_finding_status 
    ON sechub.finding_info.uid = latest_finding_status.uid AND sechub.time_dt = latest_finding_status.latest;
```


In [None]:
con.sql("""
    CREATE VIEW sechub_current as 
    SELECT sechub.* FROM sechub 
    JOIN (SELECT MAX(time_dt) AS latest, finding_info.uid FROM sechub GROUP BY finding_info.uid) latest_finding_status 
    ON sechub.finding_info.uid = latest_finding_status.uid AND sechub.time_dt = latest_finding_status.latest;
""")

# Loading additional helpful data sources

### AWS Account Metadata table

Having a table of AWS Account IDs to helpful metadata will allow you to produce more actionable reports

In [102]:
con.sql("select * from aws_account_info")

┌──────────────┬───────────┬────────────────────┬─────────────────────┐
│  account_id  │ env_level │    owner_email     │    account_alias    │
│    int64     │  varchar  │      varchar       │       varchar       │
├──────────────┼───────────┼────────────────────┼─────────────────────┤
│ 137294155267 │ prod      │ dakota@example.com │ super_secret_prod   │
│ 211125761087 │ prod      │ bob@example.com    │ its_just_dev        │
│ 637423320304 │ prod      │ rick@example.com   │ financial_data_here │
└──────────────┴───────────┴────────────────────┴─────────────────────┘

### CISA KEV

Great and free source for assisting with vulnerability prioritzation using a list of CVEs that are known to have been observed being exploited in the wild


In [19]:
con.sql("select * from kev limit 10")

┌────────────────┬───────────────┬──────────────────────┬───┬────────────┬──────────────────────┬─────────┐
│     cveID      │ vendorProject │       product        │ … │  dueDate   │ knownRansomwareCam…  │  notes  │
│    varchar     │    varchar    │       varchar        │   │    date    │       varchar        │ varchar │
├────────────────┼───────────────┼──────────────────────┼───┼────────────┼──────────────────────┼─────────┤
│ CVE-2021-27104 │ Accellion     │ FTA                  │ … │ 2021-11-17 │ Known                │ NULL    │
│ CVE-2021-27102 │ Accellion     │ FTA                  │ … │ 2021-11-17 │ Known                │ NULL    │
│ CVE-2021-27101 │ Accellion     │ FTA                  │ … │ 2021-11-17 │ Known                │ NULL    │
│ CVE-2021-27103 │ Accellion     │ FTA                  │ … │ 2021-11-17 │ Known                │ NULL    │
│ CVE-2021-21017 │ Adobe         │ Acrobat and Reader   │ … │ 2021-11-17 │ Unknown              │ NULL    │
│ CVE-2021-28550 │ Adobe    

# Vulnerability and Configuration Management

### Active SecHub Findings by AWS Account

```sql
SELECT cloud.account.uid, severity, count(*) AS cnt 
FROM sechub_current 
WHERE status IN ('New', 'Notified') 
GROUP BY cloud.account.uid, severity
```

In [22]:
con.sql("select cloud.account.uid, severity, count(*) as cnt from sechub_current where status in ('New', 'Notified') group by cloud.account.uid, severity")

┌──────────────┬───────────────┬───────┐
│     uid      │   severity    │  cnt  │
│   varchar    │    varchar    │ int64 │
├──────────────┼───────────────┼───────┤
│ 137294155267 │ Informational │     8 │
│ 137294155267 │ High          │   142 │
│ 137294155267 │ Medium        │   155 │
│ 137294155267 │ Critical      │    10 │
│ 137294155267 │ Low           │    27 │
│ 637423320304 │ Medium        │     5 │
└──────────────┴───────────────┴───────┘

In [23]:
con.sql("select cloud.account.uid, class_name, count(*) as count from sechub_current group by cloud.account.uid, class_name order by cloud.account.uid")

┌──────────────┬───────────────────────┬───────┐
│     uid      │      class_name       │ count │
│   varchar    │        varchar        │ int64 │
├──────────────┼───────────────────────┼───────┤
│ 137294155267 │ Compliance Finding    │     1 │
│ 137294155267 │ Detection Finding     │   288 │
│ 137294155267 │ Vulnerability Finding │    53 │
│ 637423320304 │ Detection Finding     │     4 │
│ 637423320304 │ Compliance Finding    │     3 │
└──────────────┴───────────────────────┴───────┘

In [5]:
con.sql("select cloud.account.uid, severity, count(*) as cnt from sechub_current where status in ('New', 'Notified') and class_name='Vulnerability Finding' group by cloud.account.uid, severity")

┌──────────────┬───────────────┬───────┐
│     uid      │   severity    │  cnt  │
│   varchar    │    varchar    │ int64 │
├──────────────┼───────────────┼───────┤
│ 137294155267 │ High          │    14 │
│ 137294155267 │ Informational │     8 │
│ 137294155267 │ Medium        │    21 │
│ 137294155267 │ Critical      │    10 │
└──────────────┴───────────────┴───────┘

```sql
SELECT 
    vulnerability.cve.uid, 
    vulnerability.cve.epss.score as score
    cloud.account.uid, 
    severity,
    FROM (
            select unnest(vulnerabilities) as vulnerability, cloud, severity from sechub_current where status in ('New', 'Notified') and class_name='Vulnerability Finding')
    ORDER BY severity, score
```

In [39]:
con.sql("select vulnerability.cve.uid, vulnerability.cve.epss.score as score, cloud.account.uid, severity from (select unnest(vulnerabilities) as vulnerability, cloud, severity from sechub_current where status in ('New', 'Notified') and class_name='Vulnerability Finding') order by severity, score")

┌─────────────────────┬─────────┬──────────────┬──────────┐
│         uid         │  score  │     uid      │ severity │
│       varchar       │ varchar │   varchar    │ varchar  │
├─────────────────────┼─────────┼──────────────┼──────────┤
│ CVE-2023-46233      │ 0.00067 │ 137294155267 │ Critical │
│ CVE-2023-26136      │ 0.00108 │ 137294155267 │ Critical │
│ CVE-2020-15084      │ 0.00197 │ 137294155267 │ Critical │
│ CVE-2023-37903      │ 0.00248 │ 137294155267 │ Critical │
│ CVE-2023-37466      │ 0.00348 │ 137294155267 │ Critical │
│ CVE-2015-9235       │ 0.00559 │ 137294155267 │ Critical │
│ CVE-2020-12265      │ 0.00619 │ 137294155267 │ Critical │
│ CVE-2023-32314      │ 0.01236 │ 137294155267 │ Critical │
│ CVE-2019-10744      │ 0.01478 │ 137294155267 │ Critical │
│ GHSA-5mrr-rgp6-x4gr │ NULL    │ 137294155267 │ Critical │
│       ·             │  ·      │      ·       │   ·      │
│       ·             │  ·      │      ·       │   ·      │
│       ·             │  ·      │      ·

# Utilizing Observables for Fun and Profit

OCSF provides an observables column, which is designed to surface common entities across an event. In the case of SecurityHub findings, SecurityLake will transform ASFF findings and include things like AWS Resources, or GuardDuty finding targets in the observables. 

#### AWS Inspector Container vulnerability scan

```json
[
  {
    "name": "resource.uid",
    "value": "arn:aws:ecr:us-east-1:137294155267:repository/juiceshop/sha256:1ee9b8d6e89e8faee4c4c1a7a31931509032f8ac095e1d3664bc5a49c1ee778b",
    "type": "Resource UID",
    "type_id": 10
  }
]
```

#### AWS GuardDuty Finding

```json
[
  {
    "name": "resources[].uid",
    "value": "arn:aws:ec2:us-east-1:137294155267:instance/i-99999999",
    "type": "Resource UID",
    "type_id": 10
  },
  {
    "name": "evidences[].actor.process.user.name",
    "value": "ec2-user",
    "type": "User Name",
    "type_id": 4
  },
  {
    "name": "resources[].uid",
    "value": "GeneratedFindingContainerId",
    "type": "Resource UID",
    "type_id": 10
  }
]
```

### Unique Observable types in SecHub findings

In [76]:
con.sql("SELECT distinct observable.name from (SELECT *, unnest(observables) as observable FROM sechub_current) ")

┌───────────────────────────────────────────────┐
│                     name                      │
│                    varchar                    │
├───────────────────────────────────────────────┤
│ evidences[].actor.process.name                │
│ evidences[].query.hostname                    │
│ evidences[].process.file.hashes[].value       │
│ evidences[].process.user.name                 │
│ evidences[].actor.process.user.name           │
│ resource.uid                                  │
│ resources[].uid                               │
│ evidences[].actor.process.file.hashes[].value │
│ evidences[].src_endpoint.ip                   │
│ evidences[].process.name                      │
│ evidences[].dst_endpoint.ip                   │
├───────────────────────────────────────────────┤
│                    11 rows                    │
└───────────────────────────────────────────────┘

### Count of SecHub findings associated with a particular AWS Resource

Viewing resources with the highest number of active sechub findings associated with them could be a method of identifying risky assets that deserve further analysis

```sql
SELECT resources.value AS VALUE, count(*) AS count 
FROM (SELECT unnest(observables) AS resources FROM sechub_current) 
WHERE (value like 'arn%' or value like 'AWS%') 
GROUP BY resources.value 
ORDER BY count desc
```

In [24]:
con.sql("select resources.value as value, count(*) as count from (select unnest(observables) as resources from sechub_current) where (value like 'arn%' or value like 'AWS%') group by resources.value order by count desc")

┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────┬───────┐
│                                                    value                                                     │ count │
│                                                   varchar                                                    │ int64 │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────┼───────┤
│ arn:aws:ec2:us-east-1:137294155267:instance/i-99999999                                                       │   230 │
│ arn:aws:eks:us-east-1:137294155267:cluster/GeneratedFindingEKSClusterName                                    │    73 │
│ AWS::IAM::AccessKey:GeneratedFindingAccessKeyId                                                              │    57 │
│ arn:aws:ecr:us-east-1:137294155267:repository/juiceshop/sha256:1ee9b8d6e89e8faee4c4c1a7a31931509032f8ac095…  │    51 │
│ arn:aws:ecs:region:12345678900

## Finding all events that occured against a given resource in CloudTrail

```sql
SELECT api.operation, observable.value, time FROM 
(SELECT *, unnest(observables) as observable FROM cloudtrail) 
WHERE observable.value LIKE 'arn:aws:ecr:us-east-1:%:repository/%'
```

In [73]:
con.sql("SELECT distinct api.operation, observable.value from (SELECT *, unnest(observables) as observable FROM cloudtrail) where observable.value like 'arn:aws:ecr:us-east-1:%:repository/%' ")

┌──────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────┐
│      operation       │                                             value                                             │
│       varchar        │                                            varchar                                            │
├──────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────┤
│ CreateRepository     │ arn:aws:ecr:us-east-1:137294155267:repository/juiceshop                                       │
│ DescribeRepositories │ arn:aws:ecr:us-east-1:137294155267:repository/juiceshop                                       │
│ DescribeImages       │ arn:aws:ecr:us-east-1:137294155267:repository/juiceshop                                       │
│ DescribeImages       │ arn:aws:ecr:us-east-1:137294155267:repository/repository22e53bbd-qiifj2kgxqdx                 │
│ GetRepositoryPolicy  │ arn:aws

# event classes across log sources



It is worth spending the time to understand how AWS translates native log sources to OCSF subclasses

In [82]:
con.sql('select category_name, class_name, count(class_name) as cnt from cloudtrail group by category_name, class_name')

┌──────────────────────────────┬────────────────┬───────┐
│        category_name         │   class_name   │  cnt  │
│           varchar            │    varchar     │ int64 │
├──────────────────────────────┼────────────────┼───────┤
│ Application Activity         │ API Activity   │ 85266 │
│ Identity & Access Management │ Authentication │  2961 │
└──────────────────────────────┴────────────────┴───────┘

In [83]:
con.sql('select category_name, class_name, count(class_name) as cnt from sechub group by category_name, class_name')

┌───────────────┬───────────────────────┬───────┐
│ category_name │      class_name       │  cnt  │
│    varchar    │        varchar        │ int64 │
├───────────────┼───────────────────────┼───────┤
│ Findings      │ Detection Finding     │   579 │
│ Findings      │ Compliance Finding    │   103 │
│ Findings      │ Vulnerability Finding │    53 │
└───────────────┴───────────────────────┴───────┘

In [84]:
con.sql('select category_name, class_name, count(class_name) as cnt from vpcflow group by category_name, class_name')

┌──────────────────┬──────────────────┬─────────┐
│  category_name   │    class_name    │   cnt   │
│     varchar      │     varchar      │  int64  │
├──────────────────┼──────────────────┼─────────┤
│ Network Activity │ Network Activity │ 1959325 │
└──────────────────┴──────────────────┴─────────┘

In [85]:
con.sql('select category_name, class_name, count(class_name) as cnt from route53 group by category_name, class_name')

┌──────────────────┬──────────────┬───────┐
│  category_name   │  class_name  │  cnt  │
│     varchar      │   varchar    │ int64 │
├──────────────────┼──────────────┼───────┤
│ Network Activity │ DNS Activity │ 20668 │
└──────────────────┴──────────────┴───────┘

In [87]:
con.sql('select distinct category_name, class_name, count(class_name) from eks group by category_name, class_name')

┌──────────────────────┬──────────────┬───────────────────┐
│    category_name     │  class_name  │ count(class_name) │
│       varchar        │   varchar    │       int64       │
├──────────────────────┼──────────────┼───────────────────┤
│ Application Activity │ API Activity │           9388581 │
└──────────────────────┴──────────────┴───────────────────┘

# Network Traffic Analysis

Source and destination connection information mapped to src_endpoint and dst_endpoint objects

```sql
SELECT DISTINCT 
    src_endpoint.ip as srcip, 
    src_endpoint.port as srcprt, 
    dst_endpoint.ip as dstip, 
    dst_endpoint.port as dstprt 
FROM vpcflow 
```

In [14]:
con.sql("select distinct src_endpoint.ip as srcip, src_endpoint.port as srcprt, dst_endpoint.ip as dstip, dst_endpoint.port as dstprt from vpcflow")

┌─────────────────┬────────┬──────────────┬────────┐
│      srcip      │ srcprt │    dstip     │ dstprt │
│     varchar     │ int32  │   varchar    │ int32  │
├─────────────────┼────────┼──────────────┼────────┤
│ 165.154.120.253 │  40307 │ 10.0.1.151   │  42901 │
│ 193.163.125.184 │  33098 │ 10.0.36.53   │  49183 │
│ 44.213.45.216   │      0 │ 10.0.81.48   │      0 │
│ 10.0.1.151      │  56994 │ 52.46.133.88 │    443 │
│ 52.46.133.88    │    443 │ 10.0.1.151   │  56994 │
│ 162.216.149.44  │  49577 │ 10.0.1.151   │  52951 │
│ 180.118.254.16  │  35360 │ 10.0.36.53   │  27015 │
│ 35.203.211.147  │  49195 │ 10.0.36.53   │  11028 │
│ 87.246.7.46     │  53382 │ 10.0.36.53   │   4034 │
│ 8.222.200.88    │  53322 │ 10.0.1.151   │   2222 │
│      ·          │    ·   │     ·        │     ·  │
│      ·          │    ·   │     ·        │     ·  │
│      ·          │    ·   │     ·        │     ·  │
│ 52.15.109.126   │  38866 │ 10.0.81.48   │  12165 │
│ 82.223.35.114   │  59990 │ 10.0.36.53   │   

# Threat Hunting Queries!!!!

In [None]:
con.sql('select distinct api.operation from cloudtrail')

┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                                         api                                                          │
│ struct(response struct(error varchar, message varchar, "data" varchar), operation varchar, "version" varchar, serv…  │
├──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ {'response': NULL, 'operation': GetBucketAcl, 'version': NULL, 'service': {'name': s3.amazonaws.com}, 'request': {…  │
│ {'response': NULL, 'operation': GetBucketAcl, 'version': NULL, 'service': {'name': s3.amazonaws.com}, 'request': {…  │
│ {'response': NULL, 'operation': GetBucketAcl, 'version': NULL, 'service': {'name': s3.amazonaws.com}, 'request': {…  │
│ {'response': {'error': NULL, 'message': NULL, 'data': {"credentials":{"accessKeyId":"ASIAR7526RYB7JNRDPWR","sessio…  │
│ {'response': {'error': NULL, '