Retro Hunts not populating results

Has anyone experienced your retro hunts not returning any results? However, when you perform a UDM Search, the results are there.

Example UDM query: (This returns results )

metadata.product_name = "AWS_CLOUDTRAIL" and target.application = "ec2-instance-connect.amazonaws.com" AND principal.user.user_display_name != /(?i)^.*example.*$/

Example Yara-L Detection: (This does not return results )

rule aws_ec2_ssh_key_uploaded{



  meta:

    author = "test"

    description = `Example Detection`

    data_source = "AWS CloudTrail"

    severity = "High"





  events:

    $aws.metadata.product_name = "AWS_Cloudtrail"

    $aws.target.application = "ec2-instance-connect.amazonaws.com"

    $aws.principal.user.user_display_name != /(?i)^.*example.*$/ 



    {

      $aws.metadata.product_event_type = "SendSSHPublicKey" OR

      $aws.metadata.product_event_type = "SendSerialConsoleSSHPublic"

    } 



  outcome:

    $principal_ip = array_distinct($aws.principal.ip)

    $user_arn = array_distinct($aws.principal.user.userid)

    $action = array_distinct($aws.metadata.product_event_type)

    $target_resource_name = array_distinct($aws.target.resource.name)

    $network_http_user_agent = array_distinct($aws.network.http.user_agent)

    $aws_account = array_distinct($aws.principal.group.product_object_id)

    $aws_region = array_distinct($aws.principal.location.name)

   

    

  condition:

    $aws

}

Page 1 / 1

Hi,

I see that your UDM search and YARA-L rules do not have all the same elements to match an event.

Can you confirm that this UDM search returns result?

metadata.product_name = "AWS_Cloudtrail"

target.application = "ec2-instance-connect.amazonaws.com"

principal.user.user_display_name != /(?i)^.*example.*$/

(

    metadata.product_event_type = "SendSSHPublicKey" OR

    metadata.product_event_type = "SendSerialConsoleSSHPublic"

)

And also what is the period you put for retrohunt and the one for your UDM search?

yes this returns results @jpetitg

I'll mention one thing about your rule. The correct metadata.product_event_type for the AWS Cloudtrail event is "SendSerialConsoleSSHPublicKey", not "SendSerialConsoleSSHPublic"

Very strange, have you made sure the date and time range you're searching for both UDM and within the retrohunt matches?

What also might be worth checking, is to grab the metadata.id, or metadata.product_log_id value from the event you can find within the UDM, and create a search within the Detection Engine to search for that logid, or metadata.id and see if it yields any results.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded