This guide will provide you with a step-by-step of all the commands that will be needed during the hands-on portion of the workshop. If you have questions, feel free to ask your group moderator.
Helpful Links
- All Available Rule Functions
- What is Deep_Get?
- What are Packs?
- Panther Analysis Tool
- Lookup Tables
- Unit Tests
- MITRE ATT&CK Mapping in Panther
Part 1 - Prepare Detection Writing
- In the Panther Console - Navigate to Build > Detections > Create New
- Give it a unique name "[YOUR NAME] Failed Login IAM Detection"
- Set Severity to "Medium" and Log Types "AWS.CloudTrail"
Part 2 - Create Unit Test
- Select "Functions and Tests" in the tab below
- Scroll down and select the "Create Test" button
- Delete the brackets populated. Copy and paste the sample event below into your console
CloudTrail IAM Sample Log
{
"additionalEventData": {
"LoginTo": "https://console.aws.amazon.com/console/",
"MFAUsed": "No",
"MobileVersion": "No"
},
"awsRegion": "us-east-1",
"eventID": "1",
"eventName": "ConsoleLogin",
"eventSource": "signin.amazonaws.com",
"eventTime": "2019-01-01T00:00:00Z",
"eventType": "AwsConsoleSignIn",
"eventVersion": "1.05",
"p_event_time": "2021-06-04 09:59:53.650807",
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "2021-06-04 10:02:33.650807",
"recipientAccountId": "123456789012",
"requestParameters": null,
"responseElements": {
"ConsoleLogin": "Failure"
},
"sourceIPAddress": "111.111.111.111",
"userAgent": "Mozilla",
"userIdentity": {
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:user/tester",
"principalId": "1111",
"type": "IAMUser",
"userName": "tester"
}
}
Part 3 - Writing your detection code
- Import deep_get function from the panther_base_helpers library
from panther_base_helpers import deep_get
- All rules require a "rule" function that is a boolean to trigger an alert - True fires and alert
- Create a rule function with
def rule(event)
- To write the rule, identify the event attributes that associate with a failed login. This should be "eventName" and "ConsoleLogin"
- Using event.get and deep_get to grab attributes from the event log, write a return statement that is TRUE when a console login attempt fails
Click To View Answer
from panther_base_helpers import deep_get
def rule(event):
return event.get("eventName") == "ConsoleLogin" and deep_get(event,"responseElements","ConsoleLogin") == "Failure"
Part 1 - Clone a Managed Detection
- In the Panther Console - Navigate to Build > Packs > Panther Core AWS Pack
- Select the AWS GuardDuty High Severity Finding
- Select Clone & Edit on the Top Right | IF you're using a shared dev instance, please copy & paste detection to a new one. Do NOT clone & edit to avoid merge conflicts
Part 2 - Prepare Unit Test
- Name the detection a unique name with your initials - Sample "AWS GuardDuty High Severity Finding - [YOUR NAME]"
- Select Functions & Tests
- Scroll down and populate test with log if not already done
CloudTrail GuardDuty Log
{
"accountId": "123456789012",
"arn": "arn:aws:guardduty:us-west-2:123456789012:detector/111111bbbbbbbbbb5555555551111111/finding/90b82273685661b9318f078d0851fe9a",
"createdAt": "2020-02-14T18:12:22.316Z",
"description": "Principal AssumedRole:IAMRole attempted to add a highly permissive policy to themselves.",
"id": "eeb88ab56556eb7771b266670dddee5a",
"partition": "aws",
"region": "us-east-1",
"schemaVersion": "2.0",
"service": {
"action": {
"actionType": "AWS_API_CALL",
"awsApiCallAction": {
"affectedResources": {
"AWS::IAM::Role": "arn:aws:iam::123456789012:role/IAMRole"
},
"api": "PutRolePolicy",
"callerType": "Domain",
"domainDetails": {
"domain": "cloudformation.amazonaws.com"
},
"serviceName": "iam.amazonaws.com"
}
},
"additionalInfo": {},
"archived": false,
"count": 1,
"detectorId": "111111bbbbbbbbbb5555555551111111",
"eventFirstSeen": "2020-02-14T17:59:17Z",
"eventLastSeen": "2020-02-14T17:59:17Z",
"evidence": null,
"resourceRole": "TARGET",
"serviceName": "guardduty"
},
"severity": 8,
"title": "Principal AssumedRole:IAMRole attempted to add a policy to themselves that is highly permissive.",
"type": "PrivilegeEscalation:IAMUser/AdministrativePermissions",
"updatedAt": "2020-02-14T18:12:22.316Z"
}
Part 3 - Tune Detection with Severity Function
- Capture all guardduty detections as alerts in Panther, but tune out the lower end ones.
- Modify the rule function to alert on events from severity 1 to 10
- To reduce noise of this detection, use the severity function to create dynamic categorization of alerts
- Use an IF statement to send severity 5 and below alerts to "INFO" level and 8 and above to "HIGH". For any other severity, return "MEDIUM"
Click To View Answer
def severity(event):
if float(event.get("severity",0)) <= 5.0:
return "INFO"
if float(event.get("severity",0)) >= 8.0:
return "HIGH"
else:
return "MEDIUM"
- Panther Managed Detections as well as Crowdstrike are automatically tagged with tactics and techniques
- We will add tags for MITRE ATT&CK technique to the first detection that we wrote
- Navigate to BUILD -> MITRE ATT&CK
- Find the "Brute Force" technique under "Credential Access" and add your detection to it