cscli collections install crowdsecurity/aws-cis-benchmark⚠️ This version requires crowdsec version 1.5 ⚠️
This collections provides scenario to comply with the various alarms requirements specified in the CIS AWS Foundation Benchmark (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html)
This collection is mostly intended for notification purposes, you'll need to update your /etc/crowdsec/profiles.yaml to add support for alerts without remediation.
For example, to send a slack notification, add this to the top of the profile configuration file:
1name: aws_cloudtrail_notif2filters:3 - Alert.GetScenario() startsWith "crowdsecurity/aws-cis-benchmark-"4notifications:5 - http_cloudtrail_notif6on_success: break7---
Next, edit /etc/crowdsec/notifications/http.yaml (we are using the raw HTTP notification plugin here because the slack notification plugin only support plain text without any formatting):
1type: http2name: http_cloudtrail_notif3log_level: info4format: |5 {{- $alerts_count := len . -}}6 {7 "attachments": [{8 "color": "#E01E5A",9 "blocks": [10 {{- range $index, $elem := . -}}11 {{- $region := GetMeta . "region" -}}12 {{- $event_uuid := GetMeta . "event_id" -}}13 {{- $account_id := GetMeta . "account_id" -}}14 {{- $event_name := GetMeta . "event_name" -}}15 {{- $user := GetMeta . "user_arn" -}}16 {17 "type": "header",18 "text": {19 "type": "plain_text",20 "emoji": true,21 "text": ":rotating_light: Cloudtrail Alarm :rotating_light:"22 }23 },24 {25 "type": "section",26 "text": {27 "type": "mrkdwn",28 "text": "<https://{{index $region 0}}.console.aws.amazon.com/cloudtrail/home?region={{index $region 0}}#/events/{{index $event_uuid 0}}|View the cloudtrail event in the AWS console>"29 }30 },31 {32 "type": "header",33 "text": {34 "type": "plain_text",35 "text": "Alert Details"36 }37 },38 {39 "type": "section",40 "text": {41 "type": "mrkdwn",42 "text": "*Scenario Name*: {{$elem.Scenario}}\n *Source IP*: {{$elem.Source.Value}}\n *Account ID*: {{index $account_id 0}}\n *Event Name*: {{index $event_name 0}}\n *User*: {{index $user 0}}"43 }44 },45 {46 "type": "header",47 "text": {48 "type": "plain_text",49 "text": "Events details"50 }51 },52 {53 "type": "section",54 "text": {55 "type": "mrkdwn",56 "text": "{{- range $elem.Events -}} {{- range .Meta -}}* *{{.Key}}*: {{.Value}} \n {{end}} {{end}}"57 }58 },59 {60 "type": "divider"61 }62 {{- if lt $index (sub $alerts_count 1) -}}63 ,64 {{- end -}}65 {{ end }}66 ]67 }68 ]69 }70url: <SLACK_WEBHOOK_URL>71method: POST72---
More informations about the notification system can be found in our documentation
Example acquisition for this collection :
1source: kinesis2stream_name: cloudtrail-stream3from_subscription: true4labels:5 type: aws-cloudtrail