Automated Response

Setting Up Scheduled Queries in Athena

Scheduling queries enables proactive threat detection by automating periodic checks on logs for suspicious behavior.

Steps to Create a Scheduled Query using Amazon EventBridge:

Open the AWS Console and navigate to EventBridge.
Create a new rule:
- Rule name: DailyFailedLogins
- Event source: EventBridge Schedule
- Schedule expression: rate(1 day)

Add Target:

Select Athena Start Query Execution as the target.

Provide the SQL query to be executed (e.g., detect failed logins):

SELECT eventTime, userIdentity.userName, errorCode 
FROM cloudtrail_logs 
WHERE eventName = 'ConsoleLogin' 
  AND errorCode IS NOT NULL;

Specify Output Location:
- Query results will be saved in S3 (e.g., s3://security-logs-bucket/results/).
Create the Rule. The query will now run daily and store the results in S3 for review.

Automating Alerts with Athena and Lambda

You can automate alerts by triggering AWS Lambda functions based on Athena query results. This allows real-time responses to suspicious activities.

Scenario:

You want to send an email alert whenever a high-severity GuardDuty alert (severity >= 7) is detected.

Steps to Build the Automation:

Create a Lambda Function:

Open the Lambda Console and create a new function (e.g., SendAlert).

Add a Python function to send an email using Amazon SNS:

import boto3
import json

def lambda_handler(event, context):
    sns = boto3.client('sns')
    sns.publish(
        TopicArn='arn:aws:sns:us-east-1:123456789012:SecurityAlerts',
        Message=json.dumps(event),
        Subject='High Severity GuardDuty Alert'
    )

Set Up an SNS Topic:
- In the SNS Console, create a topic (e.g., SecurityAlerts).
- Subscribe your email address to receive notifications.
Create an EventBridge Rule to Trigger the Lambda Function:
- Configure Athena Start Query Execution as the event source.
- Set Lambda as the target to run after the query completes.
- Provide the SQL query to detect high-severity alerts:
  SELECT eventType, severity, description FROM guardduty_logs WHERE severity >= 7;

Integrating Athena with GuardDuty and Security Hub

GuardDuty + Athena Integration:

Use Athena to query historical GuardDuty alerts.
Automate queries to identify recurring patterns of attacks.

Query Example: GuardDuty Alerts by Source IP

SELECT srcIp, COUNT(*) AS alert_count 
FROM guardduty_logs 
GROUP BY srcIp 
ORDER BY alert_count DESC;

Security Hub + Athena Integration:

Query findings from multiple AWS services consolidated in Security Hub.
Build dashboards with Athena + QuickSight to visualize security posture.

Real-Time Visualization with Athena and QuickSight

Visualization tools like Amazon QuickSight can be used to create real-time dashboards with Athena queries. This provides threat hunters with an easy way to monitor trends and anomalies visually.

Steps to Create a QuickSight Dashboard:

Connect QuickSight to Athena:
- In the QuickSight Console, create a new data source.
- Select Athena as the data source and choose your workgroup.

Build a Visual Dashboard:

Use the following SQL query to track failed logins:

sqlCopy codeSELECT eventTime, COUNT(*) AS failed_logins 
FROM cloudtrail_logs 
WHERE eventName = 'ConsoleLogin' 
  AND errorCode IS NOT NULL 
GROUP BY eventTime;

Create a line chart to visualize failed login attempts over time.

Set Alerts for Dashboard Changes:
- Use thresholds to generate alerts when login failures spike.

Building Automated Incident Response Workflows

Automated responses improve your ability to contain threats before they cause significant damage. Use Athena, Lambda, and Security Hub to build event-driven workflows for incident response.

Example Workflow: Automated Account Lockout

Scenario: Automatically disable a user account after 3 failed login attempts within an hour.

Create a Lambda Function to Disable User Accounts:

import boto3

def lambda_handler(event, context):
    iam = boto3.client('iam')
    user = event['userIdentity']['userName']
    iam.update_login_profile(
        UserName=user,
        PasswordResetRequired=True
    )

Schedule an Athena Query to Detect Multiple Login Failures:

SELECT userIdentity.userName, COUNT(*) AS failed_attempts 
FROM cloudtrail_logs 
WHERE eventName = 'ConsoleLogin' 
  AND errorCode IS NOT NULL 
  AND eventTime > current_timestamp - interval '1' hour 
GROUP BY userIdentity.userName 
HAVING failed_attempts >= 3;

Trigger the Lambda Function via EventBridge:
- Configure EventBridge to invoke the Lambda function when the query returns a result.

PreviousSQL For Threat Hunters NextQuery Best Practices

Last updated 8 months ago

Automated Response

Setting Up Scheduled Queries in Athena

Scheduling queries enables proactive threat detection by automating periodic checks on logs for suspicious behavior.

Steps to Create a Scheduled Query using Amazon EventBridge:

Open the AWS Console and navigate to EventBridge.
Create a new rule:
- Rule name: DailyFailedLogins
- Event source: EventBridge Schedule
- Schedule expression: rate(1 day)

Add Target:

Select Athena Start Query Execution as the target.

Provide the SQL query to be executed (e.g., detect failed logins):

SELECT eventTime, userIdentity.userName, errorCode 
FROM cloudtrail_logs 
WHERE eventName = 'ConsoleLogin' 
  AND errorCode IS NOT NULL;

Specify Output Location:
- Query results will be saved in S3 (e.g., s3://security-logs-bucket/results/).
Create the Rule. The query will now run daily and store the results in S3 for review.

Automating Alerts with Athena and Lambda

You can automate alerts by triggering AWS Lambda functions based on Athena query results. This allows real-time responses to suspicious activities.

Scenario:

You want to send an email alert whenever a high-severity GuardDuty alert (severity >= 7) is detected.

Steps to Build the Automation:

Create a Lambda Function:

Open the Lambda Console and create a new function (e.g., SendAlert).

Add a Python function to send an email using Amazon SNS:

import boto3
import json

def lambda_handler(event, context):
    sns = boto3.client('sns')
    sns.publish(
        TopicArn='arn:aws:sns:us-east-1:123456789012:SecurityAlerts',
        Message=json.dumps(event),
        Subject='High Severity GuardDuty Alert'
    )

Set Up an SNS Topic:
- In the SNS Console, create a topic (e.g., SecurityAlerts).
- Subscribe your email address to receive notifications.
Create an EventBridge Rule to Trigger the Lambda Function:
- Configure Athena Start Query Execution as the event source.
- Set Lambda as the target to run after the query completes.
- Provide the SQL query to detect high-severity alerts:
  SELECT eventType, severity, description FROM guardduty_logs WHERE severity >= 7;

Integrating Athena with GuardDuty and Security Hub

GuardDuty + Athena Integration:

Use Athena to query historical GuardDuty alerts.
Automate queries to identify recurring patterns of attacks.

Query Example: GuardDuty Alerts by Source IP

SELECT srcIp, COUNT(*) AS alert_count 
FROM guardduty_logs 
GROUP BY srcIp 
ORDER BY alert_count DESC;

Security Hub + Athena Integration:

Query findings from multiple AWS services consolidated in Security Hub.
Build dashboards with Athena + QuickSight to visualize security posture.

Real-Time Visualization with Athena and QuickSight

Steps to Create a QuickSight Dashboard:

Connect QuickSight to Athena:
- In the QuickSight Console, create a new data source.
- Select Athena as the data source and choose your workgroup.

Build a Visual Dashboard:

Use the following SQL query to track failed logins:

sqlCopy codeSELECT eventTime, COUNT(*) AS failed_logins 
FROM cloudtrail_logs 
WHERE eventName = 'ConsoleLogin' 
  AND errorCode IS NOT NULL 
GROUP BY eventTime;

Create a line chart to visualize failed login attempts over time.

Set Alerts for Dashboard Changes:
- Use thresholds to generate alerts when login failures spike.

Building Automated Incident Response Workflows

Example Workflow: Automated Account Lockout

Scenario: Automatically disable a user account after 3 failed login attempts within an hour.

Create a Lambda Function to Disable User Accounts:

import boto3

def lambda_handler(event, context):
    iam = boto3.client('iam')
    user = event['userIdentity']['userName']
    iam.update_login_profile(
        UserName=user,
        PasswordResetRequired=True
    )

Schedule an Athena Query to Detect Multiple Login Failures:

SELECT userIdentity.userName, COUNT(*) AS failed_attempts 
FROM cloudtrail_logs 
WHERE eventName = 'ConsoleLogin' 
  AND errorCode IS NOT NULL 
  AND eventTime > current_timestamp - interval '1' hour 
GROUP BY userIdentity.userName 
HAVING failed_attempts >= 3;

Trigger the Lambda Function via EventBridge:
- Configure EventBridge to invoke the Lambda function when the query returns a result.

PreviousSQL For Threat Hunters NextQuery Best Practices

Last updated 8 months ago