AWS Cloud Attack
IBM® QRadar® helps you monitor your Amazon Web Services (AWS) cloud environment so that you can quickly detect high-risk misconfiguration, targeted threats, and exploitation of cloud resources.
The AWS Cloud attack use case shows how QRadar detects a suspicious login to Amazon Web Services (AWS), followed by the creation of a high volume of Amazon Elastic Compute Cloud (EC2) instances, and the potential data exfiltration from an Amazon Simple Storage Service (S3) bucket.
The simulated attack starts with the mail server information message, indicating a potential spam email with a suspicious attachment. Shortly after the attachment is opened, QRadar detects a series of events that contribute to a single offense, which might indicate that an active threat is occurring.
Simulating the threat
To see how QRadar detects the AWS Cloud Attack, watch the AWS Cloud Attack simulation video.
- On the Log Activity tab, click Show Experience Center.
- Click Threat simulator.
- Locate the AWS Cloud Attack simulation and click Run.
Content | Description |
---|---|
Events | Mail Server Info Message Process Create Console Login Run Instances List Buckets Get Object |
Log sources | Experience Center: WindowsAuthServer @ IE8WIN7 Experience Center: AWS Syslog @ 192.168.0.17 Experience Center: Cisco IronPort @ 192.168.0.15 |
The events play in a loop and the same use case repeats multiple times. To stop the simulation, click Stop on the Threat simulator tab.
Detecting the threat: QRadar in action
The Custom Rules Engine (CRE) component of QRadar is responsible for processing incoming events and flows. The CRE compares the events and flows against a collection of tests, which are known as rules, and the rules create offenses when specific conditions are met. The CRE tracks the rule tests and incident counts over time.
Knowing that an offense occurred is only the first step. QRadar makes it easier for you to do an in-depth analysis dive and identify how it happened, where it happened, and who did it. By indexing the offense, all events with the same threat name appear as a single offense.
Investigating the threat
- Open the IBM QRadar Experience Center app.
- In the Threat simulator window, click the Read
More link for the simulations, and select the type of content that you want to
review.
Alternatively, from the Log Activity tab, you can run the quick search called EC: AWS Cloud Attack Events to view all events that are associated with the offense.