Azure Security Community Public Webinar for Threat Hunting on AWS using Azure Sentinel

1. Welcome to the Azure Sentinel webinar
We will start at 2-3 minutes after the scheduled time to accommodate those
still connecting.
Questions? Feel free to type them in the instant message window at any time. Note that any
questions you post will be public. You have the option to post questions anonymously. After
the webinar, you can ask questions at https://aka.ms/AzureSentinelCommunity.
This webinar is being recorded. We’ll post the recordings to our community forums at
https://aka.ms/SecurityWebinars.
Please give us your feedback on this webinar at
https://aka.ms/SecurityCommunityWebinarFeedback.
Join our Community: https://aka.ms/SecurityCommunity

2. Threat Hunting on AWS
using Azure Sentinel

3. AWS CloudTrail
Customizable workbooks
Built-in queries and analytics rules
Blog Link

6. Introduction to AWS Data Sources

7. Data Source Preferred Log Destination
CloudTrail CloudTrail/S3
S3 Access Logs/Object Level
Logging S3
VPC Flow Logs
S3
ELB Access Logs
S3
Route 53 DNS Logs
S3
SecurityHub Finding Format (ASFF) S3

8. Connect Azure Sentinel to AWS CloudTrail

9. Serverless Simple Cheap
Logic
Apps
  
Azure Functions
using
PowerShell
 ~ 
Logstash   

10. CloudTrail Demystified

11. S3 BucketTrailRegion
CloudTrail
Events
API

12. CloudTrail Schema
eventTime
eventVersion
userIdentity
eventSource
eventName
awsRegion
sourceIPAddress
userAgent
errorCode
errorMessage
requestParameters
responseElements
additionalEventData
requestID
eventID
eventType
apiVersion
managementEvent
readOnly
resources
recipientAccountId
serviceEventDetails
sharedEventID
vpcEndpointId

16. MITRE ATT&CK Framework
Use Cases for AWS

18. BACKDOOR BEHAVIOR CRYPTOCURRENCY RECON TROJAN UNAUTHORIZEDACCESS
Spambot NetworkPortUnusual BitcoinTool.B!DNS PortProbeUnprotectedPort BlackholeTraffic SSHBruteForce
C&CActivity.B!DNS TrafficVolumeUnusual BitcoinTool.B Portscan DropPoint RDPBruteForce
DenialOfService.Tcp PortProbeEMRUnprotectedPort BlackholeTraffic!DNS TorIPCaller
DenialOfService.Udp DriveBySourceTraffic!DNS MaliciousIPCaller.Custom
DenialOfService.Dns DropPoint!DNS TorClient
DenialOfService.UdpOnTcpPorts DGADomainRequest.B TorRelay
DenialOfService.UnusualProtocol DGADomainRequest.C!DNS MetadataDNSRebind
DNSDataExfiltration
PhishingDomainRequest!DNS
RECON
UNAUTHORIZED
ACCESS
PENTEST PERSISTENCE POLICY
PRIVILEGE
ESCALATION
RESOURCE
CONSUMPTION
STEALTH
TorIPCaller TorIPCaller KaliLinux NetworkPermissions
S3BlockPublic
AccessDisabled
Administrative
Permissions
ComputeResources
S3ServerAccessLogging
Disabled
MaliciousIPCaller.Custom MaliciousIPCaller.Custom ParrotLinux ResourcePermissions RootCredentialUsage PasswordPolicyChange
MaliciousIPCaller ConsoleLoginSuccess.B PentooLinux UserPermissions CloudTrailLoggingDisabled
NetworkPermissions MaliciousIPCaller
LoggingConfiguration
Modified
ResourcePermissions ConsoleLogin
UserPermissions
InstanceCredential
Exfiltration
Low Medium High

19. Failed AzureAD logons but
success logon to AWS
Console
New UserAgent observed
in last 24 hours
Changes to internet facing
AWS RDS Database
instances
Changes to
Amazon VPC
settings
Login to AWS
Management Console
without MFA
MFA disabled for a user
Tracking Privileged
Account Rare Activity
Suspicious Data Access
to S3 Bucket from
Unknown IP
S3 Bucket outbound
Data transfer
anomaly
Failed AWS Console
logons but success logon
to AzureAD
Exploit and Pentest
Framework User Agent
Changes to AWS Elastic
Load Balancer security
groups
Tracking Privileged
Account Rare
Activity
Changes to Amazon
VPC settings
Failed AzureAD logons but
success logon to
AWS Console
Monitor AWS
Credential abuse
or hijacking
Login to AWS Management
Console without MFA
Changes to AWS Security
Group ingress and egress
settings
Changes made to AWS
IAM policy
Changes made to
AWS IAM policy
Failed AWS Console
logons but success logon
to AzureAD
Changes to Amazon
VPC settings
Privileged role
attached to
Instance
Suspicious credential
token access of valid
IAM Roles
Known IRIDIUM IP
Suspicious credential
token access of valid
IAM Roles
Changes made to
AWS CloudTrail logs
(Preview) TI map IP entity
to AWSCloudTrail
New UserAgent observed
in last 24 hours
Exploit and Pentest
Framework User Agent
Known IRIDIUM IP
(Preview) TI map IP entity
to AWSCloudTrail
INITIAL
ACCESS
EXECUTION PERSISTENCE
PRIVILEGE
ESCALATION
DEFENSE
EVASION
CREDENTIAL
ACCESS
DISCOVERY COLLECTION EXFILTRATION
Low Medium High HuntingQuery

20. Demo :
Threat Hunting on Leaked Access
key/Compromised user

22. • 4/20/2020, 4:32:08.000 AM: CreateRole
• 4/20/2020, 4:32:08.000 AM: CreatePolicy
• 4/20/2020, 4:32:12.000 AM: AttachRolePolicy
• 4/20/2020, 5:08:51.000 AM: ListInstanceProfile
• 4/20/2020, 5:10:08.000 AM : ListRole
• 4/20/2020, 5:12:32.000 AM: RemoveRoleToInstance
• 4/20/2020, 5:13:28.000 AM: AddRoleToInstance
• 4/20/2020, 9:10:45.000 AM: Create Key Pair
• 4/20/2020, 9:25:13.000 AM: DescribeInstances
• 4/20/2020, 9:15:20.000 AM: Run Instances
• 4/20/2020, 9:26:47.000 AM: TerminateInstances
iam_privesc_by_attachment

23. http://aka.ms/azuresentinelthreathunters

24.  Azure for AWS Professionals
 What is AWS CloudTrail ?
MITRE ATT&CK Enterprise Matrix
OSSEM : Data dictionary for AWS Cloud Data sources
Guardduty Active Finding Types
Cloudgoat Scenario : iam_privesc_by_attachment

25. Thank You for Joining Us!
Recordings will be posted to our community forums at
https://aka.ms/SecurityWebinars.
You can ask additional questions at https://aka.ms/AzureSentinelCommunity.
Please give us your feedback on this webinar at
https://aka.ms/SecurityCommunityWebinarFeedback.
Join our Community: https://aka.ms/SecurityCommunity
For any questions or comments on our documentation (https://docs.microsoft.com)
contact directly at MSsecuritydocs@microsoft.com