Retro Hunts not populating results

Forum|Forum|1 year ago
July 12, 2024
4 replies
4 views

+4

tayvionp
New Member

Has anyone experienced your retro hunts not returning any results? However, when you perform a UDM Search, the results are there.

Example UDM query: (This returns results )

metadata.product_name = "AWS_CLOUDTRAIL" and target.application = "ec2-instance-connect.amazonaws.com" AND principal.user.user_display_name != /(?i)^.*example.*$/

Example Yara-L Detection: (This does not return results )

rule aws_ec2_ssh_key_uploaded{

  meta:
    author = "test"
    description = `Example Detection`
    data_source = "AWS CloudTrail"
    severity = "High"


  events:
    $aws.metadata.product_name = "AWS_Cloudtrail"
    $aws.target.application = "ec2-instance-connect.amazonaws.com"
    $aws.principal.user.user_display_name != /(?i)^.*example.*$/ 

    {
      $aws.metadata.product_event_type = "SendSSHPublicKey" OR
      $aws.metadata.product_event_type = "SendSerialConsoleSSHPublic"
    } 

  outcome:
    $principal_ip = array_distinct($aws.principal.ip)
    $user_arn = array_distinct($aws.principal.user.userid)
    $action = array_distinct($aws.metadata.product_event_type)
    $target_resource_name = array_distinct($aws.target.resource.name)
    $network_http_user_agent = array_distinct($aws.network.http.user_agent)
    $aws_account = array_distinct($aws.principal.group.product_object_id)
    $aws_region = array_distinct($aws.principal.location.name)
   
    
  condition:
    $aws
}

+2

jpetitg
Bronze 1
Forum|Forum|1 year ago
July 12, 2024

Hi,

I see that your UDM search and YARA-L rules do not have all the same elements to match an event.

Can you confirm that this UDM search returns result?

metadata.product_name = "AWS_Cloudtrail"
target.application = "ec2-instance-connect.amazonaws.com"
principal.user.user_display_name != /(?i)^.*example.*$/
(
    metadata.product_event_type = "SendSSHPublicKey" OR
    metadata.product_event_type = "SendSerialConsoleSSHPublic"
)

And also what is the period you put for retrohunt and the one for your UDM search?

Like

T

+4

tayvionp
Author
New Member
Forum|Forum|1 year ago
July 12, 2024

yes this returns results @jpetitg

N

Like

+1

stein1
Bronze 1
Forum|Forum|1 year ago
July 16, 2024

I'll mention one thing about your rule. The correct metadata.product_event_type for the AWS Cloudtrail event is "SendSerialConsoleSSHPublicKey", not "SendSerialConsoleSSHPublic"

N

Like

+13

AymanC
Bronze 5
Forum|Forum|1 year ago
July 17, 2024

Very strange, have you made sure the date and time range you're searching for both UDM and within the retrohunt matches?

What also might be worth checking, is to grab the metadata.id, or metadata.product_log_id value from the event you can find within the UDM, and create a search within the Detection Engine to search for that logid, or metadata.id and see if it yields any results.

N

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded