Solved: Re: Conditional execution of search

neerajs_81 · ‎10-13-2021

Hello All, Can someone help me to build a search query for the below use case ?

My use case is to detect if any S3 buckets have been set for Public access via PutBucketPolicy event.

I need this query to show results only if the fields Effect and Principal both have values "Allow" and " * or {AWS:*} " respectively for the same SID. Basically the following 2 conditions must be met for a particular SID.

Effect: Allow
Principal: * OR {AWS:*}
-----------------------

The Raw event data however has 2 SIDs ( MustBeEncryptedInTransit and Cloudfront Access) as shown below and each one has conflicting values of Effect & Principal.

eventName": "PutBucketPolicy"
 "awsRegion": "us-east-1"
 "sourceIPAddress": "x.x.x.x"
 "userAgent": "[<some agent>]"
 "requestParameters": {"bucketPolicy": {"Version": "2012-10-17"
 "Statement": [{"Sid": "MustBeEncryptedInTransit"
 "Effect": "Deny"
 "Action": "s3:*"
 "Resource": ["arn:aws:s3:::<Bucket_Name>/*"
 "arn:aws:s3:::<Bucket_Name>"]
 "Principal": "*"
 "Condition": {"Bool": {"aws:SecureTransport": ["false"]}}}
 {"Sid": "Cloudfront Access"
 "Effect": "Allow"
 "Action": "s3:*"
 "Resource": "arn:aws:s3::<Bucket_Name>/*"
 "Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXX"}}]}
 "bucketName": "<Bucket_Name>"
 "Host": "<SomeHost_Name>"
 "policy": ""}

Now, if i try the below search, it generates False Positives because the raw data has everything in the same event: Effect = Allow , Effect = Deny, Principal = * and 2 values of SID

sourcetype=aws:cloudtrail eventName IN(PutBucketPolicy) userName="abcd" requestParameters.bucketPolicy.Statement{}.Effect = "Allow"  requestParameters.bucketPolicy.Statement{}.Principal = "*" requestParameters.bucketPolicy.Statement{}.Sid = "Cloudfront Access"

I am just lost as in how to build an eval statement to check if SID = CloudFront Access or SID!=MustBeEncryptedInTransit only then check for values of Effect and Principal.

Hope i am clear. If you all have better suggestions to check for pubic access using Putbucketpolicy or ACL let me know

isoutamo · ‎10-13-2021

Hi

can you try to change last where to

| search Principal=* OR Principal.AWS=*

Actually you could use | makeresults on your production when you are testing something. It just create temporary events (not store those to index) which you can manipulate on same SPL query.

https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Makeresults

r. Ismo

View solution in original post

ITWhisperer · ‎10-13-2021

Try something like this

| makeresults
| eval _raw="{\"eventName\": \"PutBucketPolicy\",
 \"awsRegion\": \"us-east-1\",
 \"sourceIPAddress\": \"x.x.x.x\",
 \"userAgent\": \"[<some agent>]\",
 \"requestParameters\": {\"bucketPolicy\": {\"Version\": \"2012-10-17\",
 \"Statement\": [{\"Sid\": \"MustBeEncryptedInTransit\",
 \"Effect\": \"Deny\",
 \"Action\": \"s3:*\",
 \"Resource\": [\"arn:aws:s3:::<Bucket_Name>/*\",
 \"arn:aws:s3:::<Bucket_Name>\"],
 \"Principal\": \"*\",
 \"Condition\": {\"Bool\": {\"aws:SecureTransport\": [\"false\"]}}},
 {\"Sid\": \"Cloudfront Access\",
 \"Effect\": \"Allow\",
 \"Action\": \"s3:*\",
 \"Resource\": \"arn:aws:s3::<Bucket_Name>/*\",
 \"Principal\": {\"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXX\"}}]},
 \"bucketName\": \"<Bucket_Name>\",
 \"Host\": \"<SomeHost_Name>\",
 \"policy\": \"\"}}"



| spath requestParameters.bucketPolicy.Statement{} output=Statement
| mvexpand Statement
| spath input=Statement
| where Effect="Allow"
| where Principal="*" OR Principal.AWS="*"

neerajs_81 · ‎10-13-2021

@ITWhisperer Thank you for responding.

I tried including your search beginning with |spath command onwards but it didn't work as expected. Note- i did not run the makeresults because i cannot make results in our production environment.

I am seeing that irrespective of whatever value i put for Principal.AWS in the where clause, it shows NO Results found.

Meaning by supplying Principal.AWS ="*" OR Principal.AWS="arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXX" both show "No results found".

In Theory if you look at the raw data, if Principal.AWS ="arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXX" then it should have shown atleast that 1 event in results.

| spath requestParameters.bucketPolicy.Statement{} output=Statement
| mvexpand Statement
| spath input=Statement
| where Effect="Allow"
| where Principal="*" OR Principal.AWS="*

ITWhisperer · ‎10-13-2021

Sorry, Principal.AWS needs to be in single quotes

| where Principal="*" OR 'Principal.AWS'="*"

Does this give you what you want, i.e. are you looking for literal * or are you looking any value in Principal or Principal.AWS?

neerajs_81 · ‎10-13-2021

@ITWhisperer
I am looking for literal * in Prinicpal.AWS and Principal fields. Enclosing single quotes didn't have any effect.

Actually using single or double quotes and search command instead of where did the trick for the Prinicipal or Principal.AWS elements. Below is what worked.

| search "Principal"="*" OR "Principal.AWS"="*"

isoutamo · ‎10-13-2021

Hi

can you try to change last where to

| search Principal=* OR Principal.AWS=*

Actually you could use | makeresults on your production when you are testing something. It just create temporary events (not store those to index) which you can manipulate on same SPL query.

https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Makeresults

r. Ismo

neerajs_81 · ‎10-13-2021

Thank you. That was very helpful

Conditional execution of search

fields

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!