aws-cis-benchmark Collection by crowdsecurity

Installation

cscli collections install crowdsecurity/aws-cis-benchmark

Source code

⚠️ This version requires crowdsec version 1.5 ⚠️

This collections provides scenario to comply with the various alarms requirements specified in the CIS AWS Foundation Benchmark (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html)

This collection is mostly intended for notification purposes, you'll need to update your /etc/crowdsec/profiles.yaml to add support for alerts without remediation.

For example, to send a slack notification, add this to the top of the profile configuration file:

name: aws_cloudtrail_notif
filters:
 - Alert.GetScenario() startsWith "crowdsecurity/aws-cis-benchmark-"
notifications:
  - http_cloudtrail_notif
on_success: break
---

Next, edit /etc/crowdsec/notifications/http.yaml (we are using the raw HTTP notification plugin here because the slack notification plugin only support plain text without any formatting):

type: http
name: http_cloudtrail_notif
log_level: info
format: |
 {{- $alerts_count := len . -}}
 {
 "attachments": [{
 "color": "#E01E5A",
 "blocks": [
   {{- range $index, $elem := . -}}
   {{- $region := GetMeta . "region" -}}
   {{- $event_uuid := GetMeta . "event_id" -}}
   {{- $account_id := GetMeta . "account_id" -}}
   {{- $event_name := GetMeta . "event_name" -}}
   {{- $user := GetMeta . "user_arn" -}}
   {
     "type": "header",
     "text": {
       "type": "plain_text",
       "emoji": true,
       "text": ":rotating_light: Cloudtrail Alarm :rotating_light:"
     }
   },
   {
     "type": "section",
     "text": {
       "type": "mrkdwn",
       "text": "<https://{{index $region 0}}.console.aws.amazon.com/cloudtrail/home?region={{index $region 0}}#/events/{{index $event_uuid 0}}|View the cloudtrail event in the AWS console>"
     }
   },
   {
     "type": "header",
      "text": {
        "type": "plain_text",
        "text": "Alert Details"
      }
   },
   {
     "type": "section",
     "text": {
       "type": "mrkdwn",
       "text": "*Scenario Name*: {{$elem.Scenario}}\n *Source IP*: {{$elem.Source.Value}}\n *Account ID*: {{index $account_id 0}}\n *Event Name*: {{index $event_name 0}}\n *User*: {{index $user 0}}"
     }
   },
   {
     "type": "header",
     "text": {
       "type": "plain_text",
       "text": "Events details"
     }
   },
   {
     "type": "section",
     "text": {
       "type": "mrkdwn",
       "text": "{{- range $elem.Events -}} {{- range .Meta -}}* *{{.Key}}*: {{.Value}} \n {{end}} {{end}}"
     }
   },
   {
     "type": "divider"
   }
   {{- if lt $index (sub $alerts_count 1) -}}
   ,
   {{- end -}}
   {{ end }}
 ]
 }
 ]
 }
url: <SLACK_WEBHOOK_URL>
method: POST
---

More informations about the notification system can be found in our documentation

Example acquisition for this collection :

source: kinesis
stream_name: cloudtrail-stream
from_subscription: true
labels:
 type: aws-cloudtrail

Content

Hub collection

« aws-cis-benchmark »Collection
v0.1 by crowdsecurity

aws-cloudtrail

aws-cis-benchmark-cloudtrail-config-change

aws-cis-benchmark-config-config-change

aws-cis-benchmark-console-auth-fail

aws-cis-benchmark-iam-policy-change

aws-cis-benchmark-kms-deletion

aws-cis-benchmark-login-no-mfa

aws-cis-benchmark-nacl-change

aws-cis-benchmark-ngw-change

aws-cis-benchmark-root-usage

aws-cis-benchmark-route-table-change

aws-cis-benchmark-s3-policy-change

aws-cis-benchmark-security-group-change

aws-cis-benchmark-unauthorized-call

aws-cis-benchmark-vpc-change