Hi guys,
So I'm consuming AWS Cloudtrail events and am particaulrly interested in failed logins to the AWS console.
the correct event is enventName=ConsoleLogin but even when the event has failed it still gets a success action.
Here's the event:
{ [-]
additionalEventData: { [+]
}
awsRegion: us-east-1
errorMessage: Failed authentication
eventID: xxxxxxxxxxxxxxxxxxxxxxx
eventName: ConsoleLogin
eventSource: signin.amazonaws.com
eventTime: 2016-06-13T10:52:17Z
eventType: AwsConsoleSignIn
eventVersion: 1.02
recipientAccountId: 8348xxxxxxxxxxxxx
requestParameters: null
responseElements: { [-]
ConsoleLogin: Failure
}
sourceIPAddress: xxxxxxxxxxxxxxxx
userAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
userIdentity: { [+]
}
}
The event action is still set to sucess.
I traced it to the lookup aws-cloudtrail-action-status.csv but that seems to be expecting a errorcode - which isn't populated. It needs to read responseElements.ConsoleLogin in order to determine success.
Sample of the lookup:
eventName,errorCode,action,status
ConsoleLogin,success,success,success
ConsoleLogin,*,failure,failure
Could you give us a steer on how to resolve?
Thanks
Maybe you can alter the EVAL-errorCode statement in props.conf (in the TA), so that the errorCode value is populated for Console Login failures?
EVAL-errorCode = if('responseElements.ConsoleLogin'=="Failure", "failure", coalesce('errorCode',"success"))
Maybe you can alter the EVAL-errorCode statement in props.conf (in the TA), so that the errorCode value is populated for Console Login failures?
EVAL-errorCode = if('responseElements.ConsoleLogin'=="Failure", "failure", coalesce('errorCode',"success"))
Perfect - issue resolved.
Thanks
I should add-- you'll want to add this to a local/props.conf so the change isn't overwritten when you upgrade the TA.