How to create custom alerts for AWS Cloudtrail on Wazuh

Out of the box, wazuh supports ingesting AWS Cloudtrail logs. However, one of the caveats is that this logs have only a few rule.id . So for example creating a new EC2 instance and deleting a S3 bucket have the same rule.id and cannot be alerted separately.

So what we will do is create custom rules that are aren’t as broad. In this example we will be setting an alert level 8 to any S3 change in AWS.

We will use rule.id 80202 since it does exactly what we want in just a broader sense.

First we need to create the rule to do this for us. In order to do this we need to create a new xml file in /etc/rules

vi /var/ossec/etc/rules/aws_custom_rules.xml

Now paste this into your custom rule file. You will notice there are a couple differences between this rule and 80202 . The first difference is the list file in 80202 is /etc/lists/amazon/aws-events . We are going to point to a new list file (which we haven’t created yet) called /etc/lists/amazon/aws-s3-events

The other difference is that we are giving a new rule.id and new alert.level

<!-- ################################### -->
<!-- # AWS Security Correlations      #  -->
<!-- ################################### -->

<!-- ################################### -->
<!-- # Rule numbers 200 - 299          #  -->
<!-- ################################### -->


<group name="AWS_Security_Correlations,">

<rule id="100200" level="8">
  <if_sid>80200</if_sid>
  <field name="aws.source">cloudtrail</field>
  <list field="aws.eventName" lookup="match_key">etc/lists/amazon/aws-s3-events</list>
  <description>AWS Cloudtrail: $(aws.eventSource) - $(aws.eventName).</description>
  <group>AWS_Security_Correlations</group>
  <options>no_full_log</options>
</rule>

</group>

Ok. So now we need to create aws-s3-events and aws-s3-events.cbd

cp /var/ossec/etc/lists/amazon/aws-eventnames /var/ossec/etc/lists/amazon/aws-s3-events

Now that we copied the event file we need to take everything out, but s3 alerts. So it should look like this:

CreateBucket:S3
DeleteBucket:S3
DeleteBucketLifecycle:S3
DeleteBucketReplication:S3
DeleteBucketTagging:S3
PutBucketLifecycle:S3
PutBucketLogging:S3
PutBucketNotification:S3
PutBucketReplication:S3
PutBucketRequestPayment:S3
PutBucketTagging:S3
PutBucketVersioning:S3

Now we need to add this new list to our /var/ossec/etc/ossec.conf file

vi /var/ossec/etc/ossec.conf

Under ruleset we will add our aws-s3-events list

  <ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <list>etc/lists/amazon/aws-s3-events</list>

    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

Now we just need to create a new .cbd file to store these entries

touch /var/ossec/etc/lists/amazon/aws-s3-events.cbd

Finally we initialize the list file and restart wazuh

/var/ossec/bin/ossec-makelists
systemctl restart wazuh-manager

Now you have alerts :slight_smile:

1 Like

Just curious to know if it is possible to set alerts on specific events. Here is a typical usecase:

There is a AWS security group called “public_http” that has the ingress rule 80 &443 open to 0.0.0.0/0. As compliance this security group must be only attached to AWS ELB and not allowed on any instance.

Can Wazuh be configured to alert on when this specific SG is attached to instances.

Any insight is appreciated.

Yeah these two alerts should be what you are looking for

AuthorizeSecurityGroupEgress:EC2 - Security Groups
AuthorizeSecurityGroupIngress:EC2- Security Groups