decoding aws cloudtrail with ossec presented by: barry o meara – pre sales engineer emea
DESCRIPTION
Decoding AWS CloudTrail with OSSEC Presented By: Barry O Meara – Pre Sales Engineer EMEA. AGENDA: Why? Enabling AWS CloudTrail OSSEC AWS CloudTrail DECODER How AlienVault USM decodes these events How to use your audit reports. Why? Scenario: Make an audit trail - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Decoding AWS CloudTrail with OSSEC Presented By: Barry O Meara – Pre Sales Engineer EMEA](https://reader036.vdocuments.us/reader036/viewer/2022081519/5681314d550346895d97c9ce/html5/thumbnails/1.jpg)
Decoding AWS CloudTrail with OSSEC
Presented By:Barry O Meara – Pre Sales Engineer EMEA
![Page 2: Decoding AWS CloudTrail with OSSEC Presented By: Barry O Meara – Pre Sales Engineer EMEA](https://reader036.vdocuments.us/reader036/viewer/2022081519/5681314d550346895d97c9ce/html5/thumbnails/2.jpg)
AGENDA:
• Why?• Enabling AWS CloudTrail• OSSEC AWS CloudTrail DECODER• How AlienVault USM decodes these
events • How to use your audit reports
![Page 3: Decoding AWS CloudTrail with OSSEC Presented By: Barry O Meara – Pre Sales Engineer EMEA](https://reader036.vdocuments.us/reader036/viewer/2022081519/5681314d550346895d97c9ce/html5/thumbnails/3.jpg)
Why? Scenario: Make an audit trailfollow the user:
• Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.
• Implement automated audit trails for all system components to reconstruct the following events: • All actions taken by any individual with root or administrative privileges • Invalid logical access attempts • Use of identification and authentication mechanisms• Creation and deletion of system level objects
![Page 4: Decoding AWS CloudTrail with OSSEC Presented By: Barry O Meara – Pre Sales Engineer EMEA](https://reader036.vdocuments.us/reader036/viewer/2022081519/5681314d550346895d97c9ce/html5/thumbnails/4.jpg)
• User identification • Type of event • Date and time
./Time must be synchronized across all systems
./Success or failure indication • Origination of event • Identity or name of affected data, system component, or resource.
Stuff To Record:
![Page 5: Decoding AWS CloudTrail with OSSEC Presented By: Barry O Meara – Pre Sales Engineer EMEA](https://reader036.vdocuments.us/reader036/viewer/2022081519/5681314d550346895d97c9ce/html5/thumbnails/5.jpg)
Stuff to Decode – AWS Event Translation
EVENT AWS EVENT
EVENT VERSION "eventVersion":"1.02” – Very Important
EVENT ID "eventID":"7d4ad9fe-ce06-472a-b995-1685f1370a67"
EVENT TIME "eventTime":"2014-09-03T08:59:37Z",
USER ID u'147023721278’ parent "userIdentity":
EVENT "eventName":"GetTrailStatus"
USER AGENT "userAgent":"console.amazonaws.com",
SOURCE IP "sourceIPAddress":"62.77.185.113"
![Page 6: Decoding AWS CloudTrail with OSSEC Presented By: Barry O Meara – Pre Sales Engineer EMEA](https://reader036.vdocuments.us/reader036/viewer/2022081519/5681314d550346895d97c9ce/html5/thumbnails/6.jpg)
DEEP DIVE