Versions Compared

Old Version 6

changes.mady.by.user Alban (Unlicensed)

Saved on

compared with

New Version 7

changes.mady.by.user John Gerlock

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • When an API Secure policy violation was opened.

  • When an API Secure policy violation was resolved, or closed as "won't fix“.

Configuring Splunk

...

to receive events from Data Theorem

Step 1: Enabling HTTP Event Collector (HEC)

...

Example Event Detail View

...

  

Example Splunk Queries

Example Splunk Queries

Public S3 Buckets

To search Splunk for Data Theorem events triggered by the discovery of public S3 buckets:

Code Block
event.type=API_SECURE__POLICY_VIOLATION_CREATED AND 
(
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ_ACP" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE_ACP" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_READ" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE_ACP" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_POLICY_HAS_PUBLIC_ACCESS" OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACCESS_POINT_POLICY_HAS_PUBLIC_ACCESS"
)

In the query above, the expression event.type=API_SECURE__POLICY_VIOLATION_CREATED restricts the search to events representing new policy violations. To instead search for events representing resolved(fixed) policy violations, use event.type=API_SECURE__POLICY_VIOLATION_RESOLVED like this:

Code Block
event.type=API_SECURE__POLICY_VIOLATION_RESOLVED AND 
(
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_READ_ACP OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_PUBLIC_WRITE_ACP OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_READ OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_ACL_HAS_AUTHENTICATED_WRITE_ACP OR 
event.data.violated_policy_rule_type_name=AWS_S3_BUCKET_POLICY_HAS_PUBLIC_ACCESS OR 
event.data.violated_policy_rule_type_name="AWS_S3_BUCKET_ACCESS_POINT_POLICY_HAS_PUBLIC_ACCESS
)

The OR'ed expressions match the different Data Theorem policy rules for S3 bucket configuration. For more information about these policies, see AWS S3 policy documentation. They can be added or eliminated as needed. Splunk also supports the use of wildcards for field values in queries, so to search for any event related to AWS S3, you could do this:

Code Block
event.data.violated_policy_rule_type_name=AWS_S3*

References

Data Theorem Event Message Schema

Data Theorem Splunk Dashboard Example

Splunk HEC Documentation

Splunk HEC Examples