Forum Discussion
AWS CloudTrail - "whois" Organization Whitelist
Hi all, I'm trying to creat a custom alert trigger in Sentinel, to filter source ip addresses from my cloudtrail logs, as I've whitelisted ips (vpn) well defined. However some services like a...
Additional protection against web attacks using conditions that you specify. You can define conditions
by using characteristics of web requests such as the following:
• IP addresses that requests originate from.
• Country that requests originate from.
• Values in request headers.
• Strings that appear in requests, either specific strings or string that match regular expression (regex)
patterns.
• Length of requests.
• Presence of SQL code that is likely to be malicious (known as SQL injection).
• Presence of a script that is likely to be malicious (known as cross-site scripting).
• Rules that can allow, block, or count web requests that meet the specified conditions. Alternatively,
rules can block or count web requests that not only meet the specified conditions, but also exceed a
specified number of requests in any 5-minute period.
• Rules that you can reuse for multiple web applications.
• Managed rule groups from AWS and AWS Marketplace sellers.
• Real-time metrics and sampled web requests.
• Automated administration using the AWS WAF API.
by using characteristics of web requests such as the following:
• IP addresses that requests originate from.
• Country that requests originate from.
• Values in request headers.
• Strings that appear in requests, either specific strings or string that match regular expression (regex)
patterns.
• Length of requests.
• Presence of SQL code that is likely to be malicious (known as SQL injection).
• Presence of a script that is likely to be malicious (known as cross-site scripting).
• Rules that can allow, block, or count web requests that meet the specified conditions. Alternatively,
rules can block or count web requests that not only meet the specified conditions, but also exceed a
specified number of requests in any 5-minute period.
• Rules that you can reuse for multiple web applications.
• Managed rule groups from AWS and AWS Marketplace sellers.
• Real-time metrics and sampled web requests.
• Automated administration using the AWS WAF API.
- Hi Lewis, thanks for the response.
I believe my challenge is a little bit different. I want to exclude Amazon ASNs IPs from the query, just to monitor outside Amazon ones.
I would like to do something like a whois, get the org name Amazon, and if it matches, do not trigger.
I just couldn't find a way to use this sort of intel or command in the log query.
Best regards,
Lucas
