TrailDiscover (Beta)

Enrich incoming CloudTrail events with TrailDiscover data

Overview

TrailDiscover enrichment is in open beta starting with Panther version 1.107, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

TrailDiscover is a continuously evolving repository of CloudTrail events containing detailed descriptions, MITRE ATT&CK insights, real-world incident references, research links, and information about security implications.

Learn how to view stored Enrichment Provider data here, and how to view log events with enrichment data here.

How TrailDiscover works

The TrailDiscover Enrichment Provider enriches CloudTrail events with relevant information from TrailDiscover, using the log's eventName key. If you use Amazon Security Lake, TrailDiscover enriches the api.operation field, which contains the CloudTrail event name.

Setting up TrailDiscover enrichment

How to set up TrailDiscover enrichment in the Panther Console

In the left-hand navigation bar in your Panther Console, click Detections.
Click the Packs tab.
Search for "TrailDiscover," and on the TrailDiscover Lookup Tables tile, click the Enabled toggle ON.
In the pop-up confirmation modal, click Continue.
To verify the Lookup Table is enabled, from the left sidebar menu, click Configure > Enrichment Providers.
- On this page, you can see Panther-managed Enrichment Providers. You can also see whether the sources are currently enabled or disabled and when a source’s data was last refreshed.

Example event enriched with TrailDiscover

Below is a CloudTrail log enriched with TrailDiscover data. The TrailDiscover object within p_enrichment contains additional information about the AssumeRole event, such as links to associated incidents, research, and MITRE ATT&CK tactics and techniques.

{
  "awsRegion": "us-east-1",
  "correlation_rule_matches": {},
  "database_name": "panther_logs",
  "eventCategory": "Management",
  "eventID": "5d0ee1aa-cac2-3876-9808-aecdc2b720ab",
  "eventName": "AssumeRole",
  "eventSource": "sts.amazonaws.com",
  "eventTime": "2024-04-24 19:23:36.000000000",
  "eventType": "AwsApiCall",
  "eventVersion": "1.08",
  "managementEvent": true,
  "p_enrichment": {
    "TrailDiscover": {
      "eventName": {
        "awsService": "STS",
        "description": "Returns a set of temporary security credentials that you can use to access AWS resources.",
        "eventName": "AssumeRole",
        "eventSource": "sts.amazonaws.com",
        "incidents": [
          {
            "description": "The curious case of [email protected]",
            "link": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"
          },
          {
            "description": "Trouble in Paradise",
            "link": "https://blog.darklab.hk/2021/07/06/trouble-in-paradise/"
          }
        ],
        "mitreAttackTactics": [
          "TA0001 - Initial Access",
          "TA0003 - Persistence",
          "TA0004 - Privilege Escalation"
        ],
        "mitreAttackTechniques": [
          "T1199 - Trusted Relationship",
          "T1078 - Valid Accounts"
        ],
        "p_match": "AssumeRole",
        "permissions": "https://aws.permissions.cloud/iam/sts#sts-AssumeRole",
        "researchLinks": [
          {
            "description": "Role Chain Juggling",
            "link": "https://hackingthe.cloud/aws/post_exploitation/role-chain-juggling/"
          },
          {
            "description": "Detecting and removing risky actions out of your IAM security policies",
            "link": "https://www.solvo.cloud/blog/detecting-and-removing-risky-actions-out-of-your-iam-security-policies/"
          }
        ],
        "securityImplications": "Attackers might use AssumeRole to gain unauthorized access to an AWS role. This might allow them to gain initial access, escalate privileges or in specific scenarios gain persistence.",
        "simulation": [
          {
            "type": "commandLine",
            "value": "aws sts assume-role --role-arn arn:aws:iam::123456789012:role/TrailDiscover --role-session-name TrailDiscover"
          }
        ],
        "usedInWild": true
      }
    }
  },
  "readOnly": true,
  "recipientAccountId": "123456789012",
  "requestID": "ddcb3c89-b762-43a1-a2b7-33f6f1afac53",
  "requestParameters": {
    "roleArn": "arn:aws:iam::123456789012:role/some-role",
    "roleSessionName": "SOME_SESSION"
  },
  "resources": [
    {
      "accountId": "123456789012",
      "arn": "arn:aws:iam::123456789012:role/some-role",
      "type": "AWS::IAM::Role"
    }
  ],
  "responseElements": {
    "assumedRoleUser": {
      "arn": "arn:aws:sts::123456789012:assumed-role/some-role/SOME_SESSION",
      "assumedRoleId": "AROASXP6SDABCDEFGL:SOME_SESSION"
    },
    "credentials": {
      "accessKeyId": "ASIASXABCDEFGRGZ",
      "expiration": "Apr 24, 2024, 8:23:36 PM",
      "sessionToken": "token"
    }
  },
  "sharedEventID": "a077320f-2184-482c-8e6d-e1e9ddfde08f",
  "sourceIPAddress": "cloudtrail.amazonaws.com",
  "table_name": "aws_cloudtrail",
  "userAgent": "cloudtrail.amazonaws.com",
  "userIdentity": {
    "invokedBy": "cloudtrail.amazonaws.com",
    "type": "AWSService"
  }
}

PreviousTor Exit Nodes NextPanther AI

Last updated 1 year ago

Was this helpful?

Overview

How TrailDiscover works

Setting up TrailDiscover enrichment

How to set up TrailDiscover enrichment in the Panther Console

How to set up TrailDiscover enrichment in the CLI workflow

Example event enriched with TrailDiscover