Skip to content

Commit

Permalink
Merge branch 'main' into DOCS-409
Browse files Browse the repository at this point in the history
  • Loading branch information
@kimsauce
kimsauce authored Oct 18, 2024
2 parents aaed992 + 1dfc01f commit 48599f1
Show file tree
Hide file tree
Showing 19 changed files with 539 additions and 17 deletions.
18 changes: 12 additions & 6 deletions blog-cse/2024-10-04-content.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,28 +23,34 @@ This content release includes:
* Other changes enumerated below.

## Rules
- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
- An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. Take a look at the full event details, particularly the requestParameters.loggingConfig* fields in order to see what specific configuration values were changed. Telemetry and logging configuration changes should be a relatively rare occurrence in the environment.
- [New] MATCH-S00922 AWS Bedrock Agent Created
- This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
- [New] MATCH-S00924 AWS Bedrock Guardrail Deleted
- AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change. Look at other activity from this user account, focusing on the Bedrock service and pivoting from there if the event is deemed suspicious.
- [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User
- A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock. However, it could also be a malicious attempt at running a particular model via AWS Bedrock. Take a look at the username, IP address, role type, role and model via the "requestParameters.modelId" field.
- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
- An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. Take a look at the full event details, particularly the requestParameters.loggingConfig* fields in order to see what specific configuration values were changed. Telemetry and logging configuration changes should be a relatively rare occurrence in the environment.
- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. This signal is designed to pair with “Trufflehog AWS Credential Verification Detected” to provide coverage for legitimate and internal Trufflehog scans. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
- [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User
- A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model. Ensure this model is authorized to be utilized in the environment and that the user requesting access to the model is authorized to perform these actions.
- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
- A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. The http_userAgent field will contain the user agent used to perform this enumeration and will help determine whether a browser or CLI tool was used to perform this type of enumeration. Consider excluding service accounts and authorized users from this rule via a rule tuning expression if excessive signal activity is observed.
- [New] FIRST-S00084 - First Seen AWS Bedrock API Call from User
- This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services. Look at the "action" field to determine what API calls are being made and whether this activity is expected.
- [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
- An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. This signal is designed to pair with “Trufflehog AWS Credential Verification Detected” to provide coverage for legitimate and internal Trufflehog scans. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
- [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
- AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. The following AWS documentation outlines this behavior: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-launch-templates.html. Look at other events the user in question is performing in order to investigate this signal. Consider excluding authorized users via a match list if this signal is triggering too many false positives.
- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
- A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. The http_userAgent field will contain the user agent used to perform this enumeration and will help determine whether a browser or CLI tool was used to perform this type of enumeration. Consider excluding service accounts and authorized users from this rule via a rule tuning expression if excessive signal activity is observed.
- [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User
- An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
- [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User
- An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
- [New] OUTLIER-S00024 - AWS DynamoDB Outlier in GetItem Events from User
- An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances. Consider excluding authorized users from this signal or tweaking the minimum count value if this signal is triggering too often. Data events from DynamoDB are required in order for this signal to function.
- [New] OUTLIER-S00025 - AWS S3 Outlier in PutObject Denied Events
- This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function. Denied PutObject access events can stem from IAM policies or bucket policies. Look at the user, role, IP address from the events to determine whether this activity is expected. In certain cases, access denied events to S3 can also result in unexpected AWS charges.
- [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.

Expand Down
8 changes: 8 additions & 0 deletions cid-redirects.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@
"/Start-Here/09Customize-Your-Sumo-Logic-Experience/Preferences-Page": "/docs/get-started/account-settings-preferences",
"/Start-Here/02Getting-Started/Glossary": "/docs/contributing/glossary",
"/01Start-Here/02Getting-Started/Glossary": "/docs/contributing/glossary",
"/01Start-Here/02Getting-Started": "/docs/get-started",
"/docs/contributing/create-document": "/docs/contributing/create-edit-doc",
"/docs/contributing/edit-doc": "/docs/contributing/create-edit-doc",
"/docs/contributing/markdown-cheat-sheet": "/docs/contributing/style-guide",
Expand Down Expand Up @@ -755,6 +756,7 @@
"/07Sumo-Logic-Apps/01Amazon_and_AWS/Threat_Intel_for_AWS/Threat-Intel-for-AWS-App-Dashboard": "/docs/integrations/amazon-aws/threat-intel",
"/07Sumo-Logic-Apps/04Infrastructure-and-Operations/NIST_CSF": "/docs/cloud-soar/overview",
"/docs/cloud-soar/architecture": "/docs/cloud-soar/overview",
"/07Sumo-Logic-Apps/03Microsoft_and_Azure/Windows_Event_Log": "/docs/integrations/microsoft-azure",
"/07Sumo-Logic-Apps/04Microsoft-and-Azure": "/docs/integrations/microsoft-azure",
"/07Sumo-Logic-Apps/04Microsoft-and-Azure/Active_Directory/01Collect-Log-Files-for-the-Active-Directory-App": "/docs/integrations/microsoft-azure/active-directory-json",
"/07Sumo-Logic-Apps/04Microsoft-and-Azure/Active_Directory_JSON": "/docs/integrations/microsoft-azure/active-directory-json",
Expand Down Expand Up @@ -2532,6 +2534,7 @@
"/cid/20157": "/docs/integrations/amazon-aws/aws-global-accelerator",
"/cid/20158": "/docs/integrations/amazon-aws/aws-ground-station",
"/cid/20159": "/docs/integrations/amazon-aws/aws-healthlake",
"/cid/20160": "/docs/integrations/amazon-aws/amazon-bedrock",
"/cid/8394": "/docs/search/search-query-language/search-operators/dedup",
"/cid/85858": "/docs/observability/kubernetes/quickstart",
"/cid/8595": "/docs/manage/security/set-password-policy",
Expand Down Expand Up @@ -3038,6 +3041,7 @@
"/Manage/Content_Sharing/Content_Sharing_FAQ": "/docs/manage/content-sharing/content-sharing-faq",
"/Manage/Content_Sharing/Share-Content": "/docs/manage/content-sharing",
"/Manage/Data-Forwarding": "/docs/manage/data-forwarding",
"/Manage/Data_Forwarding": "/docs/manage/data-forwarding",
"/Manage/Data-Forwarding/Configure-Data-Forwarding-for-Installed-Collectors": "/docs/manage/data-forwarding/installed-collectors",
"/docs/manage/data-archiving/installed-collectors": "/docs/manage/data-forwarding/installed-collectors",
"/Manage/Data-Forwarding/Configure-Data-Forwarding-from-Sumo-Logic-to-S3/02File-Format-for-Data-Forwarding-to-an-Amazon-S3-Bucket": "/docs/manage/data-forwarding/amazon-s3-bucket",
Expand Down Expand Up @@ -3641,6 +3645,7 @@
"/Beta/Cloud-to-Cloud_Integration_Framework/Workday_Source": "/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/workday-source",
"/Beta/Dashboard-Data-API": "/docs/api/dashboard",
"/Beta/Dashboard_(New)": "/docs/dashboards",
"/Beta/Dashboard_(Beta)/Create_a_New_Dashboard_(Beta)": "/docs/dashboards",
"/Beta/Grant_Access_to_Data_in_Audit_Indexes": "/docs/manage/users-roles/roles/create-manage-roles",
"/Beta/Health_Events": "/docs/manage/health-events",
"/Beta/Ingest_Budgets": "/docs/manage/ingestion-volume/ingest-budgets",
Expand All @@ -3658,6 +3663,7 @@
"/Dashboards-and-Alerts": "/docs/alerts",
"/Dashboards_and_Alerts/Alerts/01_Scheduled_Searches": "/docs/alerts/scheduled-searches/schedule-search",
"/Dashboards_and_Alerts/Alerts/Create_a_Real_Time_Alert": "/docs/alerts/scheduled-searches/create-real-time-alert",
"/Dashboards_and_Alerts/Alerts/Save_to_Index": "/docs/alerts/scheduled-searches/save-to-index",
"/Dashboards-and-Alerts/Alerts": "/docs/alerts",
"/Dashboards-and-Alerts/Alerts/02-Schedule-a-Search": "/docs/alerts/scheduled-searches/schedule-search",
"/Dashboards-and-Alerts/Alerts/Create-an-Email-Alert": "/docs/alerts/scheduled-searches/create-email-alert",
Expand Down Expand Up @@ -3705,6 +3711,7 @@
"/Search/Library/Apps-in-Sumo-Logic/01-Sumo-Logic-Apps/Data-Volume-App/Data-Volume-App-Dashboards": "/docs/integrations/sumo-apps/data-volume",
"/Search/LogCompare": "/docs/search/logcompare",
"/Search/LogCompare/About_LogCompare": "/docs/search/logcompare",
"/Search/LogReduce": "/docs/search/logreduce",
"/Query_Language": "/docs/search/search-query-language",
"/Search/Search_Query_Language": "/docs/search/search-query-language",
"/Search/Search_Query_Language/Parse_Operators/Parsing_JSON_Logs": "/docs/search/search-query-language/parse-operators/parse-json-formatted-logs",
Expand Down Expand Up @@ -3762,6 +3769,7 @@
"/Send_Data/Data_Types/Observable_Networks/Observable_Networks_App_Dashboard_and_Searches": "/docs/integrations/security-threat-detection/observable-networks",
"/Send_Data/Data_Types/PagerDuty/PagerDuty_App_Dashboards": "/docs/integrations/saas-cloud/pagerduty-v3",
"/Send_Data/Data_Types/Threat_Intel_for_AWS/Threat_Intel_for_AWS_App_Dashboard": "/docs/integrations/amazon-aws/threat-intel",
"/Send_Data/Installed_Collectors": "/docs/send-data/installed-collectors",
"/Send_Data/Installed_Collectors/04Install_a_Collector_on_Linux": "/docs/send-data/installed-collectors/linux",
"/Send_Data/Installed_Collectors/Step_4._Install_the_Collector/02_Quiet_Mode_Installation_Method": "/docs/send-data/installed-collectors/collector-installation-reference/set-collector-as-ephemeral",
"/Send_Data/Installed_Collectors/05Reference_Information_for_Collector_Installation/06user.properties": "/docs/send-data/installed-collectors/collector-installation-reference/user-properties",
Expand Down
48 changes: 44 additions & 4 deletions docs/api/role-management-v2.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
id: role-management-v2
title: Role Management APIs v2 (Beta)
sidebar_label: Roles
description: Role Management APIs v2 (Beta) allow you to manage roles from HTTP endpoints.
title: Role Management APIs V2 (Beta)
sidebar_label: Roles V2
description: Role Management APIs V2 (Beta) allow you to manage roles from HTTP endpoints.
---

import useBaseUrl from '@docusaurus/useBaseUrl';
Expand All @@ -13,7 +13,7 @@ import ApiRoles from '../reuse/api-roles.md';

<p> <a href="/docs/beta"><span className="beta">Beta</span></a> </p>

Roles determine the functions that users are able to perform in Sumo Logic. The Role Management API (v2) allows you to configure access on partitions and manage roles from HTTP endpoints.
Roles determine the functions that users are able to perform in Sumo Logic. The Role Management API (V2) allows you to configure access on partitions and manage roles from HTTP endpoints.

To manage roles, you must have an administrator role or your role must have been assigned the [Manage Users and Roles](/docs/manage/users-roles/) capability.

Expand All @@ -34,6 +34,46 @@ To manage roles, you must have an administrator role or your role must have been
| US1 | https://api.sumologic.com/docs/#tag/roleManagementV2 |
| US2 | https://api.us2.sumologic.com/docs/#tag/roleManagementV2 |

## Migrate audit logs queries from Role Management API V1 to V2

If you use role-based [audit data filtering](/docs/manage/users-roles/roles/create-manage-roles/#create-a-role), we recommend you migrate the search from V1 to V2 audit logging.

With advanced search filters added, you can obtain more granular information about the selected role. The `filterPredicate` field in V1 audit logging is replaced with `logAnalyticsFilter`, `auditDataFilter`, and `securityDataFilter` fields in V2. In addition, we have also added `selectionType` and `selectedViews` fields to apply for audit data filtering.

Currently, Role Management APIs V2 records both the V1 and V2 log line changes.

:::note
V2 changes are **only** applicable for `RoleUpdate` and `RoleCreated` events.
:::

<br/><img src={useBaseUrl('img/users-roles/JSON-diff-V1-V2.png')} alt="JSON-diff-V1-V2" style={{border: '1px solid gray'}} width="800"/>

For example, consider you are interested in querying upon audit logs with change in `RoleUpdated` or `RoleCreated` events. Now, if you perform this search you will initially see the V1 type of event in the search results. However, to view the results with the V2 event type, you are required to adjust the parameters in the query.

```sql title="V1 Audit Logging"
(_index=sumologic_audit_events)
| json fields=_raw "roleIdentity.roleName" as role_name
| json fields=_raw "eventTime" as eventTime
| json fields=_raw "role.filterPredicate" as create_role
| json fields=_raw "to.filterPredicate" as update_role
| json fields=_raw "operator.email" as actor
| json fields=_raw "eventName" | where eventName matches "RoleCreated" OR eventName="RoleUpdate"
| count by eventTime, eventName, actor, role_name, create_role, update_role
```

```sql title="V2 Audit Logging"
(_index=sumologic_audit_events)
| json fields=_raw "roleIdentity.roleName" as role_name
| json fields=_raw "eventTime" as eventTime
| json fields=_raw "role.logAnalyticsFilter" as created_log_analytics_filter
| json fields=_raw "role.auditDataFilter" as created_audit_data_filter
| json fields=_raw "to.logAnalyticsFilter" as updated_log_analytics_filter
| json fields=_raw "to.auditDataFilter" as updated_audit_data_filter
| json fields=_raw "operator.email" as actor
| json fields=_raw "eventName" | where eventName matches "RoleCreatedV2" OR eventName="RoleUpdateV2"
| count by eventTime, eventName, actor, role_name, created_log_analytics_filter, created_audit_data_filter, updated_log_analytics_filter, updated_log_analytics_filter
```

<!-- ## Required role capabilities
<ApiRoles/>
Expand Down
Loading

0 comments on commit 48599f1

Please sign in to comment.