Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Finding Specific Actions in CloudTrail

0

Hi, all, New to the community so will do my best to follow the dos and don't but a bit of a AWS novice so bear with me. It was noticed that the new "Malware Protection" trial had started in our AWS environment. However, nobody knows who did it, whether it was set up to continue after, etc. I went to CloudTrail to try and search for any indicators and all I can see is where folks have looked at the service page, but not necessarily enabled the service or activated the trial. Does anyone know of the correct attributes/parameters to use to determine this? Thank you!

Tópicos
Segurança, identidade e conformidadeGestão e governança
Tags
Amazon GuardDutyAWS CloudTrail
Idioma
English
rePost-User-4475545
feita há um ano289 visualizações
1 Resposta
1

Hi and welcome to the community!

You can search for the updateDetector event name to find who updated the Guard Duty configuration.

Enter image description here

In particular you should search to see if scanEc2InstanceWithFindings is set to true.

    "requestParameters": {
        "detectorId": "56bf249c0b2004c6e5f32f00b3cfda80",
        "enable": true,
        "findingPublishingFrequency": "SIX_HOURS",
        "dataSources": {
            "malwareProtection": {
                "scanEc2InstanceWithFindings": {
                    "ebsVolumes": true
                }
            }
        }
    },
AWS
Pablo Guzman
respondido há um ano
  • rePost-User-4475545
    há um ano

    Thanks. I followed your guidance and it isn't showing me any events. I know we have logging enabled as a user search shows events. Does logging need to be enabled separately for the config changes?

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante