Posts

My Methodology to AWS Detection Engineering (Part 3 - Variable Scoring)

Image
Introduction  Welcome back to the series! In Part One  and  Two we discussed RBA object selection tailored to AWS identities and how to assign the numerical risk values to those objects using SPL. We also looked at basic examples of how those base scores could stack up for various objects to cross a defined threshold.  All that was necessary to get us here: "variable scoring". We will explore some ideas to get you on your way with variable scoring in the skies of AWS. I want to stress again that this approach is derived from work I've done in my own time using Splunk but it applies to other SIEM offerings and can be built using common programming languages like Python (which is a future project of mine). Anyway,  let's get right into it: Variable Scoring Before we get too far, it may be helpful to define "variable scoring."  Think of variable scoring like the thermostat in your home. The base score is the default temperature setting, providing a nice baseli

My Methodology to AWS Detection Engineering (Part 2: Risk Assignment)

Image
Introduction  Welcome back to the second installment of the blog series discussing my methodology for threat detection engineering in AWS. I am humbled by the response to Part One, so thank you to everyone who reached out. I'm very happy that some of you found it helpful. In case you missed it, we covered RBA object selection for AWS and how an example of how that could be of use. I recommend reading  Part One  before continuing here. But since you're back, I assume you are here for Part Two, so let's get into it. We will look at an example application of risk score assignment with the concepts discussed in Part One and the lessons I've learned using the available RBA features in Splunk ES. This will be a shorter post as I want to focus on the key components that make up the risk assignment rule. Let's start by jumping right into the logic needed in this methodology. Core Components:  Initial Filter 1 in

My Methodology to AWS Detection Engineering (Part 1: Object Selection)

Image
Introduction  Welcome to the first installment of my new blog series discussing my methodology for threat detection engineering in AWS. This blog assumes you are familiar with Splunk Enterprise Security, its terminology, and/or similar SIEM functionality related to "Risk-Based Alerting" concepts. If not, you can read some reference docs  here  and  here  or if you prefer videos you can go here  and  here .   Also, if you need a refresher on AWS CloudTrail userIdentity fields, see the official documentation here .  To be clear, this is just what I have been doing, and it doesn't mean that it is prescriptive. While this approach may use Splunk at its core, the concepts apply to any SIEM that allows you to perform risk scoring or has the components to do so, such as creating indices, performing lookups, and using eval commands. That said,  this concept is better stated t