Giter VIP home page Giter VIP logo

cloudtrail2sightings's Introduction

cloudtrail2sightings

How to use

  1. Download Cloudtrail data into this directory. This project assumes any Cloudtrail data it processes to be from an incident, or from known attacks on your environment. For generating Cloudtrail data attached to known attack techniques, you can use stratus-red-team or from flaws.cloud public dataset of logs from attacks in this environment.

I added cloudtrail.zip to the top level directory here if you want to play with a lot of Cloudtrail logs!

  1. Ensure the data is in the correct Cloudtrail format. jq -r 'has("Records")' < ./path/to/datafile.json should return true. Data downloaded from Cloudtrail should be in this format.
โ””> jq -r 'has("Records")' < event_history.json
true

  1. Add newlines to the datafile (1 to end of line plus 1 more empty). This ensures vector knows when to stop processing. echo "\n" >> ./path/to/datafile.json

  2. Change the include line to the path to your json file or files. This will writeout a directory called local_cloudtrail_logs to keep track of where it processed files. If this exists, go ahead and delete it rm -rf local_cloudtrail_logs. It will also writeout all processed cloudtrail logs to sightings.json, you can delete this too via rm -rf sightings.json.

  3. Run vector vector --config vector.toml. It will start to write data out to sightings.json

  4. If you want to run it again and combine steps 4 & 5: rm -rf sightings.json local_cloudtrail_logs/ && vector --config vector.toml

Processing sightings data, useful queries

  • Get all software_name (cloudtrail userAgent) to find interesting interactions in your environment
jq -r --slurp '.[].software_name' < sightings.json | sort | uniq
  • Get all eventNames in your dataset with corresponding technique_id (eventNames are stored in the raw_data field on the first technique)
jq -r --slurp '.[].techniques[0]|.technique_id, (.raw_data.eventName|join(","))' < sightings.json
  • Same query as before, but focus on interesting software (like stratus-red-team)
jq -r --slurp '.[]|select(.software_name | startswith("stratus-red-team"))|.techniques[0] | .technique_id,  (.raw_data.eventName|join(","))' < sightings.json

cloudtrail2sightings's People

Contributors

zmallen avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.