AWS CloudTrail - "whois" Organization Whitelist

%3CLINGO-SUB%20id%3D%22lingo-sub-1380133%22%20slang%3D%22en-US%22%3EAWS%20CloudTrail%20-%20%22whois%22%20Organization%20Whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1380133%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20creat%20a%20custom%20alert%20trigger%20in%20Sentinel%2C%20to%20filter%20source%20ip%20addresses%20from%20my%20cloudtrail%20logs%2C%20as%20I've%20whitelisted%20ips%20(vpn)%20well%20defined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20some%20services%20like%20autoscaling%2C%20they%20use%20some%20internal%20Aws%20IPs%20which%20I%20do%20not%20have%20control%20over.%3C%2FP%3E%3CP%3EMy%20question%20is%3A%20Is%20there%20a%20way%20to%20whitelist%2C%20and%20exclude%20these%20ips%20from%20my%20query%2C%20using%20some%20sort%20of%20whois%20organization%20response%20attribute%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20any%20has%20some%20guidance%2C%20it%20would%20be%20very%20helpful.%20Coding%20and%20integrations%20are%20also%20welcom.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3ESiedlarczyk%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1380133%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloudTrail%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1380237%22%20slang%3D%22en-US%22%3ERe%3A%20AWS%20CloudTrail%20-%20%22whois%22%20Organization%20Whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1380237%22%20slang%3D%22en-US%22%3EAdditional%20protection%20against%20web%20attacks%20using%20conditions%20that%20you%20specify.%20You%20can%20define%20conditions%3CBR%20%2F%3Eby%20using%20characteristics%20of%20web%20requests%20such%20as%20the%20following%3A%3CBR%20%2F%3E%E2%80%A2%20IP%20addresses%20that%20requests%20originate%20from.%3CBR%20%2F%3E%E2%80%A2%20Country%20that%20requests%20originate%20from.%3CBR%20%2F%3E%E2%80%A2%20Values%20in%20request%20headers.%3CBR%20%2F%3E%E2%80%A2%20Strings%20that%20appear%20in%20requests%2C%20either%20specific%20strings%20or%20string%20that%20match%20regular%20expression%20(regex)%3CBR%20%2F%3Epatterns.%3CBR%20%2F%3E%E2%80%A2%20Length%20of%20requests.%3CBR%20%2F%3E%E2%80%A2%20Presence%20of%20SQL%20code%20that%20is%20likely%20to%20be%20malicious%20(known%20as%20SQL%20injection).%3CBR%20%2F%3E%E2%80%A2%20Presence%20of%20a%20script%20that%20is%20likely%20to%20be%20malicious%20(known%20as%20cross-site%20scripting).%3CBR%20%2F%3E%E2%80%A2%20Rules%20that%20can%20allow%2C%20block%2C%20or%20count%20web%20requests%20that%20meet%20the%20specified%20conditions.%20Alternatively%2C%3CBR%20%2F%3Erules%20can%20block%20or%20count%20web%20requests%20that%20not%20only%20meet%20the%20specified%20conditions%2C%20but%20also%20exceed%20a%3CBR%20%2F%3Especified%20number%20of%20requests%20in%20any%205-minute%20period.%3CBR%20%2F%3E%E2%80%A2%20Rules%20that%20you%20can%20reuse%20for%20multiple%20web%20applications.%3CBR%20%2F%3E%E2%80%A2%20Managed%20rule%20groups%20from%20AWS%20and%20AWS%20Marketplace%20sellers.%3CBR%20%2F%3E%E2%80%A2%20Real-time%20metrics%20and%20sampled%20web%20requests.%3CBR%20%2F%3E%E2%80%A2%20Automated%20administration%20using%20the%20AWS%20WAF%20API.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1380256%22%20slang%3D%22en-US%22%3ERe%3A%20AWS%20CloudTrail%20-%20%22whois%22%20Organization%20Whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1380256%22%20slang%3D%22en-US%22%3EHi%20Lewis%2C%20thanks%20for%20the%20response.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20my%20challenge%20is%20a%20little%20bit%20different.%20I%20want%20to%20exclude%20Amazon%20ASNs%20IPs%20from%20the%20query%2C%20just%20to%20monitor%20outside%20Amazon%20ones.%3CBR%20%2F%3EI%20would%20like%20to%20do%20something%20like%20a%20whois%2C%20get%20the%20org%20name%20Amazon%2C%20and%20if%20it%20matches%2C%20do%20not%20trigger.%3CBR%20%2F%3EI%20just%20couldn't%20find%20a%20way%20to%20use%20this%20sort%20of%20intel%20or%20command%20in%20the%20log%20query.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%2C%3CBR%20%2F%3ELucas%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1380283%22%20slang%3D%22en-US%22%3ERe%3A%20AWS%20CloudTrail%20-%20%22whois%22%20Organization%20Whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1380283%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F663491%22%20target%3D%22_blank%22%3E%40Siedlarczyk95%3C%2FA%3E%26nbsp%3BSounds%20like%20you%20would%20need%20to%20create%20a%20logic%20app%20that%20makes%20the%20queries%20to%20whois%20to%20get%20the%20information%20you%20need%20and%20update%20a%20custom%20log%20with%20that%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20not%20have%20the%20exact%20code%20you%20would%20need%20but%20you%20can%20look%20at%20the%20Azure%20Sentinel%20on%20getting%20Teams%20information%20to%20give%20you%20an%20idea%20of%20how%20to%20start.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1380333%22%20slang%3D%22en-US%22%3ERe%3A%20AWS%20CloudTrail%20-%20%22whois%22%20Organization%20Whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1380333%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Gary%2C%20thanks%20for%20the%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20about%20that%2C%20but%20not%20sure%20how%20to%20stream%20the%20data%20to%20get%20it%20queried%20from%20whois.%3C%2FP%3E%3CP%3EAs%20logic%20apps%20connectors%20for%20Sentinel%20are%20basically%20based%20on%20alerts%2C%20the%20nois%20would%20be%20huge%20if%20I%20used%20this%20approach.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20a%20suggestion%20on%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards.%3C%2FP%3E%3CP%3ELucas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1380532%22%20slang%3D%22en-US%22%3ERe%3A%20AWS%20CloudTrail%20-%20%22whois%22%20Organization%20Whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1380532%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F663491%22%20target%3D%22_blank%22%3E%40Siedlarczyk95%3C%2FA%3E%26nbsp%3BThis%20would%20a%20straight%20Logic%20App%2C%20not%20a%20Playbook%20so%20you%20could%20set%20up%20to%20use%20the%20Recurrence%20trigger%20and%20use%20the%20HTTP%20action%20to%20call%20whois%20(assuming%20you%20can%20make%20a%20REST%20call%20to%20get%20the%20data%20you%20need)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1382051%22%20slang%3D%22en-US%22%3ERe%3A%20AWS%20CloudTrail%20-%20%22whois%22%20Organization%20Whitelist%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1382051%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F663491%22%20target%3D%22_blank%22%3E%40Siedlarczyk95%3C%2FA%3E%26nbsp%3BThis%20may%20be%20along%20the%20lines%20of%20what%20you%20are%20looking%20for.%20I%20wanted%20to%20create%20tickets%20in%20an%20ITSM%20for%20alerts%20in%20Sentinel%20and%20instead%20of%20having%20to%20constantly%20lookup%20the%20location%20and%20owner%20of%20the%20IP%20addresses%2C%20I%20used%20a%20rest%20api%20call%20via%20Logic%20Apps%20to%20get%20the%20IP%20owner%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fipapi.co%2F8.8.8.8%2Forg%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fipapi.co%2F8.8.8.8%2Forg%3C%2FA%3E%20so%20this%20could%20be%20added%20to%20the%20ticket%20on%20creation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20won't%20necessarily%20let%20you%20alert%20for%20non-Amazon%20IPs%20since%20the%20alert%20would've%20already%20occurred.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20wanted%20to%20get%20information%20on%20where%20connections%20to%20our%20Cisco%20ASA%20were%20coming%20from%20geographically%20so%20I%20used%20another%20logic%20app%20to%20lookup%20IPs%20for%20their%20location%2C%20owner%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20this%20you%20would%20need%20a%20csv%20file%20in%20blob%20storage%20with%20the%20defined%20headers%20you%20are%20looking%20for%20e.g.%20IP%2C%20Location%2C%20Owner%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20used%20a%20recurringly%20triggered%20logic%20app%20to%20run%20a%20log%20analytics%20query%20to%20get%20a%20list%20of%20IPs%20and%20then%20conditionally%20check%20the%20csv%20for%20the%20IP%20to%20make%20sure%20it%20wasn't%20already%20there%20(to%20avoid%20going%20over%20the%20api%20rate%20limit%20looking%20up%20IPs%20twice).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20IP%20isn't%20in%20the%20file%2C%20you%20would%20then%20call%20the%20api%20and%20add%20the%20information%20as%20a%20new%20line%20to%20the%20csv%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20could%20then%20use%20externaldata%20to%20lookup%20this%20information%20in%20log%20analytics%20and%20create%20alerts%20based%20on%20a%20query%20that%20excludes%20Amazon%20owned%20IPs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20used%20the%20code%20below%20to%20generate%20a%20map%20showing%20the%20places%20connections%20were%20being%20made%20from%20to%20our%20ASA.%20The%20URL%20for%20the%20blob%20was%20generated%20by%20clicking%20on%20generate%20SAS%20under%20the%20storage%20account%20%26gt%3B%20containers%20%26gt%3B%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Eexternaldata(ip%3Astring%2C%20country_code%3Astring)%0A%5Bh%22https%3A%2F%2Fmy.blob.core.windows.net%2Fmycontainer%2Fiplookup.csv%3Fsp%3Dsharedaccesssignature%22%5D%0A%7C%20join%20kind%3D%20inner%20(%0ACommonSecurityLog%0A%7C%20where%20TimeGenerated%20%7BTimeRange%7D%0A%7C%20extend%20day%3Ddayofmonth(TimeGenerated)%0A%7C%20where%20Message%20contains%20%22%25ASA%3A%20%20Group%20%3CGROUPPOLICY_VPN%3E%20User%22%0A%7C%20parse%20Message%20with%20*%22%26gt%3B%20User%20%26lt%3B%22%20User%20%22%26gt%3B%22*%0A%7C%20parse%20Message%20with%20*%22%26gt%3B%20IP%20%26lt%3B%22%20ConnectingIP%20%22%26gt%3B%22*%0A)%20on%20%24left.ip%20%3D%3D%20%24right.ConnectingIP%0A%7C%20distinct%20User%2C%20country_code%0A%7C%20summarize%20count(User)%20by%20country_code%3C%2FGROUPPOLICY_VPN%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi all,

 

I'm trying to creat a custom alert trigger in Sentinel, to filter source ip addresses from my cloudtrail logs, as I've whitelisted ips (vpn) well defined.

 

However some services like autoscaling, they use some internal Aws IPs which I do not have control over.

My question is: Is there a way to whitelist, and exclude these ips from my query, using some sort of whois organization response attribute?

 

If any has some guidance, it would be very helpful. Coding and integrations are also welcom.

 

Best regards,

Siedlarczyk

6 Replies
Highlighted
Additional protection against web attacks using conditions that you specify. You can define conditions
by using characteristics of web requests such as the following:
• IP addresses that requests originate from.
• Country that requests originate from.
• Values in request headers.
• Strings that appear in requests, either specific strings or string that match regular expression (regex)
patterns.
• Length of requests.
• Presence of SQL code that is likely to be malicious (known as SQL injection).
• Presence of a script that is likely to be malicious (known as cross-site scripting).
• Rules that can allow, block, or count web requests that meet the specified conditions. Alternatively,
rules can block or count web requests that not only meet the specified conditions, but also exceed a
specified number of requests in any 5-minute period.
• Rules that you can reuse for multiple web applications.
• Managed rule groups from AWS and AWS Marketplace sellers.
• Real-time metrics and sampled web requests.
• Automated administration using the AWS WAF API.
Highlighted
Hi Lewis, thanks for the response.

I believe my challenge is a little bit different. I want to exclude Amazon ASNs IPs from the query, just to monitor outside Amazon ones.
I would like to do something like a whois, get the org name Amazon, and if it matches, do not trigger.
I just couldn't find a way to use this sort of intel or command in the log query.

Best regards,
Lucas
Highlighted

@Siedlarczyk95 Sounds like you would need to create a logic app that makes the queries to whois to get the information you need and update a custom log with that information.

 

I do not have the exact code you would need but you can look at the Azure Sentinel on getting Teams information to give you an idea of how to start.

Highlighted

@Gary Bushey 

 

Hi Gary, thanks for the response.

 

I thought about that, but not sure how to stream the data to get it queried from whois.

As logic apps connectors for Sentinel are basically based on alerts, the nois would be huge if I used this approach.

 

Do you have a suggestion on that?

 

Best regards.

Lucas

Highlighted

@Siedlarczyk95 This would a straight Logic App, not a Playbook so you could set up to use the Recurrence trigger and use the HTTP action to call whois (assuming you can make a REST call to get the data you need)

 

Highlighted

@Siedlarczyk95 This may be along the lines of what you are looking for. I wanted to create tickets in an ITSM for alerts in Sentinel and instead of having to constantly lookup the location and owner of the IP addresses, I used a rest api call via Logic Apps to get the IP owner https://ipapi.co/8.8.8.8/org so this could be added to the ticket on creation.

 

This won't necessarily let you alert for non-Amazon IPs since the alert would've already occurred.

 

I also wanted to get information on where connections to our Cisco ASA were coming from geographically so I used another logic app to lookup IPs for their location, owner etc.

 

For this you would need a csv file in blob storage with the defined headers you are looking for e.g. IP, Location, Owner

 

I used a recurringly triggered logic app to run a log analytics query to get a list of IPs and then conditionally check the csv for the IP to make sure it wasn't already there (to avoid going over the api rate limit looking up IPs twice). 

 

If the IP isn't in the file, you would then call the api and add the information as a new line to the csv file.

 

You could then use externaldata to lookup this information in log analytics and create alerts based on a query that excludes Amazon owned IPs.

 

I used the code below to generate a map showing the places connections were being made from to our ASA. The URL for the blob was generated by clicking on generate SAS under the storage account > containers > file.

 

externaldata(ip:string, country_code:string)
[h"https://my.blob.core.windows.net/mycontainer/iplookup.csv?sp=sharedaccesssignature"]
| join kind= inner (
CommonSecurityLog
| where TimeGenerated {TimeRange}
| extend day=dayofmonth(TimeGenerated)
| where Message contains "%ASA:  Group <GroupPolicy_VPN> User"
| parse Message with *"> User <" User ">"*
| parse Message with *"> IP <" ConnectingIP ">"*
) on $left.ip == $right.ConnectingIP
| distinct User, country_code
| summarize count(User) by country_code