With the introduction of Tailpipe, Powerpipe gains a new family of mods that specialize in analysis of log data. Until now, benchmarks were bundles of controls that use Steampipe to check cloud infrastructure against frameworks like CIS, HIPAA, and SOC 2. The new mods we're announcing today use a different query engine, Tailpipe, they introduce a new benchmark component — the detection — and they bundle detections to align with MITRE ATT&CK, a comprehensive knowledge base of adversary tactics.
Get started with a detections mod
Let's look at AWS CloudTrail Log Detections which provides pre-built dashboards and detections to monitor and analyze activity across your AWS accounts.
This mod requires AWS CloudTrail logs to be collected using Tailpipe with the AWS plugin:
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod install github.com/turbot/tailpipe-mod-aws-cloudtrail-log-detectionsStart the dashboard server:
powerpipe serverBrowse and view your dashboards at http://localhost:9033.
The new suite of detection mods
The AWS CloudTrail Log Detections is joined by companions for Azure and GCP. Collectively these new mods provide a wealth of detections and queries for those working with individual clouds or across all of them.
| Mod | Dashboards | Benchmarks | Queries |
|---|---|---|---|
| AWS CloudTrail Log Detections Mod | 6 | 86 | 108 |
| Azure Activity Log Detections | 4 | 36 | 39 |
| GCP Audit Log Detections | 2 | 55 | 55 |
Run a suite of detections
The AWS CloudTrail Log Detections mod provides two views of detections: CloudTrail Log Detections which organizes them by AWS service, and MITRE ATT&CK v16.1 for CloudTrail Logs which uses the MITRE taxonomy. These are views over the same set of log entries that you've collected, using a common set of queries. Let's start with CloudTrail Log Detections. The row of buttons at the top governs the number of days included in the view. The default is 7d: the most recent 7 days. In this example we've used the Custom date picker to include 1.8 million log entries spanning several years. That may sound like a lot but it really isn't, this is just the sample flaws.cloud data available here. We've used Tailpipe on a six-month sample of an internal log that's 100 times larger. Tailpipe's engine, DuckDB, can slice through hundreds of millions of log records in seconds!
If you've collected a meaningful amount of log data for the most recent 7 days, you can start exploring right away. If not, expand the date range to include more days, weeks, or even years.
As with a compliance mod, a detection mod displays a row of infocards. For a detections view, these cards summarize the number and severity of log entries matching each detection's query. And as with a compliance mod, the body of the display presents a hierarchy of benchmarks, like CloudWatch Detections as shown above. For a detections view, these benchmarks bundle detections instead of controls, like CloudWatch Log Group Created with Encryption Disabled. You can click the ? button on any detection for an overview of its nature and purpose.
A control on a compliance dashboard reports a single row with the standard columns: status, resource, reason. A detection on a detections dashboard works differently, it reports the set of log entries that match that detection's underlying query. And that tabular view is richly interactive!
Hunt for bad actors
You're hunting for needles in haystacks. To help you narrow down and focus on the log entries found by detections, Powerpipe offers powerful new tools. Hover over any cell to reveal a row of four icons:
Copy value
Filter by this value
Exclude value from results
View row
If you want to keep only rows with the /aws/lambda/Level6 resource, select the Filter icon. Conversely if you want to toss that set of rows to focus on everything else, select the Exclude icon. Using these tools you can refine the set of detected rows to ignore those that are benign and focus on the ones that might be malicious.
When you find an interesting row, use the View icon to explore it.
Apply the MITRE ATT&CK lens
To view results through the lens of the MITRE ATT&CK framework, select the Powerpipe logo to return to the mod's home page and then select MITRE ATT&CK v16.1 for CloudTrail Logs. Now detections are organized by MITRE tactics and techniques. For example, in the opening screenshot above:
TA0001: Initial Access is a high-level tactic, representing an adversary's goal to gain an initial foothold in a system.
T1078: Valid Accounts is a technique related to use of valid credentials (stolen, guessed, or default) to access systems.
T1078.001: Valid Accounts: Default Accounts narrows that down to focus on root accounts or accounts with default passwords. That's the context for the IAM Root User Console Login detection.
It's not the only context, though. The same detection also appears under tactic TA0004: Privilege Escalation. The framework enables defenders to consider a detection from different perspectives, in order to evaluate how an action fits into the overall attack chain.
However you arrive at a detection, Powerpipe's filtering helps you quickly separate the wheat from the chaff. If the actor performing the login is known and trusted, exclude all console logins from that actor with a single click in order to focus on others that may warrant scrutiny.
See it in Action
Level up your log analysis
With Tailpipe for log collection and query, and Powerpipe for interactive visualization, you gain a powerful new way to monitor cloud infrastructure for signs of compromise. You can quickly filter massive log datasets, and connect individual actions to adversary tactics, in order to identify and investigate potential security incidents. Try one of the new detection mods and let us know how it goes!