TrailDiscover enrichment is in open beta starting with Panther version 1.107, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
is a continuously evolving repository of CloudTrail events containing detailed descriptions, MITRE ATT&CK insights, real-world incident references, research links, and information about security implications.
Learn how to , and how to .
How TrailDiscover works
The TrailDiscover Enrichment Provider enriches CloudTrail events with relevant information from TrailDiscover, using the log's eventName key. If you use , TrailDiscover enriches the api.operation field, which contains the CloudTrail event name.
Setting up TrailDiscover enrichment
How to set up TrailDiscover enrichment in the Panther Console
In the left-hand navigation bar in your Panther Console, click Detections.
Click the Packs tab.
Search for "TrailDiscover," and on the TrailDiscover Lookup Tables tile, click the Enabled toggle ON.
In the pop-up confirmation modal, click Continue.
To verify the Lookup Table is enabled, from the left sidebar menu, click Configure > Enrichment Providers.
On this page, you can see Panther-managed Enrichment Providers. You can also see whether the sources are currently enabled or disabled and when a source’s data was last refreshed.
How to set up TrailDiscover enrichment in the CLI workflow
To set up TrailDiscover in the CLI workflow, follow the instructions for Enrichment Providers on . Set up in the Panther Console is not currently available.
Please note the following considerations:
CI/CD users do not need to use Detection Packs to get TrailDiscover Lookup Tables. You can pull in the latest release of and use the panther_analysis_tool (PAT) to upload the TrailDiscover Lookup Tables.
To enable the TrailDiscover Tables using the repo, make sure to open each corresponding YAML configuration file and set enabled: true.
It is possible for CI/CD users to enable TrailDiscover Lookup Tables via Detection Packs, as long as you do not customize the TrailDiscover tables using PAT.
If you choose to manage TrailDiscover through PAT after enabling it in the Panther Console, you must first disable the Detection Packs in the Panther Console. Simultaneous use of both the Panther Console and PAT to manage TrailDiscover is not supported.
For more information on how to manage TrailDiscover Lookup Tables, please see the .
Example event enriched with TrailDiscover
Below is a CloudTrail log enriched with TrailDiscover data. The TrailDiscover object within p_enrichment contains additional information about the AssumeRole event, such as links to associated incidents, research, and MITRE ATT&CK tactics and techniques.
{
"awsRegion": "us-east-1",
"correlation_rule_matches": {},
"database_name": "panther_logs",
"eventCategory": "Management",
"eventID": "5d0ee1aa-cac2-3876-9808-aecdc2b720ab",
"eventName": "AssumeRole",
"eventSource": "sts.amazonaws.com",
"eventTime": "2024-04-24 19:23:36.000000000",
"eventType": "AwsApiCall",
"eventVersion": "1.08",
"managementEvent": true,
"p_enrichment": {
"TrailDiscover": {
"eventName": {
"awsService": "STS",
"description": "Returns a set of temporary security credentials that you can use to access AWS resources.",
"eventName": "AssumeRole",
"eventSource": "sts.amazonaws.com",
"incidents": [
{
"description": "The curious case of DangerDev@protonmail.me",
"link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"
},
{
"description": "Trouble in Paradise",
"link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/"
}
],
"mitreAttackTactics": [
"TA0001 - Initial Access",
"TA0003 - Persistence",
"TA0004 - Privilege Escalation"
],
"mitreAttackTechniques": [
"T1199 - Trusted Relationship",
"T1078 - Valid Accounts"
],
"p_match": "AssumeRole",
"permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRole",
"researchLinks": [
{
"description": "Role Chain Juggling",
"link": "https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/"
},
{
"description": "Detecting and removing risky actions out of your IAM security policies",
"link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"
}
],
"securityImplications": "Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.",
"simulation": [
{
"type": "commandLine",
"value": "aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover"
}
],
"usedInWild": true
}
}
},
"readOnly": true,
"recipientAccountId": "123456789012",
"requestID": "ddcb3c89-b762-43a1-a2b7-33f6f1afac53",
"requestParameters": {
"roleArn": "arn:aws:iam::123456789012:role/some-role",
"roleSessionName": "SOME_SESSION"
},
"resources": [
{
"accountId": "123456789012",
"arn": "arn:aws:iam::123456789012:role/some-role",
"type": "AWS::IAM::Role"
}
],
"responseElements": {
"assumedRoleUser": {
"arn": "arn:aws:sts::123456789012:assumed-role/some-role/SOME_SESSION",
"assumedRoleId": "AROASXP6SDABCDEFGL:SOME_SESSION"
},
"credentials": {
"accessKeyId": "ASIASXABCDEFGRGZ",
"expiration": "Apr 24, 2024, 8:23:36 PM",
"sessionToken": "token"
}
},
"sharedEventID": "a077320f-2184-482c-8e6d-e1e9ddfde08f",
"sourceIPAddress": "cloudtrail.amazonaws.com",
"table_name": "aws_cloudtrail",
"userAgent": "cloudtrail.amazonaws.com",
"userIdentity": {
"invokedBy": "cloudtrail.amazonaws.com",
"type": "AWSService"
}
}
TrailDiscover (Beta)
Enrich incoming CloudTrail events with TrailDiscover data