AWS Macie¶
About¶
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
As organizations manage growing volumes of data, identifying and protecting their sensitive data at scale can become increasingly complex, expensive, and time-consuming. Amazon Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data.
Product Details¶
Vendor URL: Amazon Macie - Amazon Web Services
Product Type: Data Security and Data Privacy Service
Product Tier: Tier I
Integration Method: Custom
Integration URL: AWS-Macie Integration Guide
Log Guide: Amazon EventBridge event schema for Amazon Macie findings
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 75%
Data Label: AWS_MACIE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| vendor | metadata.vendor_name |
| product | metadata.product_name |
| version | metadata.product_version |
| description | metadata.description |
| product_event | metadata.product_event_type |
| Statically Defined | metadata.event_type |
| location | target.asset.location.country_or_region |
| src | principal.hostname |
| src | principal.ip |
| dst | target.hostname |
| dst | target.ip |
| dhost | target.hostname |
| dhost | target.ip |
| shost | principal.hostname |
| shost | principal.ip |
| summary | security_result.summary |
| suser | principal.user.userid |
| request | target.url |
| ALLOW/BLOCK | security_result.action |
| category | security_result.category_details |
| INFORMATIONAL/LOW/MEDIUM/HIGH | security_result.severity |
| observer | observer.hostname |
| observer | observer.ip |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | GENERIC_EVENT |
Log Sample¶
{"version":"0","id":"1e5ec90a-2fb8-b34e-531f","detail-type":"Macie Alert","source":"aws.macie","account":"1234567890","time":"2021-12-10T00:09:26Z","region":"us-west-2","resources":["arn:aws:macie:us-west-2:1234567890:trigger/1234567890/alert/1234567890","arn:aws:macie:us-west-2:1234567890:trigger/1234567890"],"detail":{"notification-type":"ALERT_CREATED","tags":["Privilege Escalation","Basic Alert"],"name":"Access Denied from Create Role","severity":"INFO","url":"https://website.com","alert-arn":"arn:aws:macie:us-west-2:1234567890:trigger/1234567890/alert/1234567890","risk-score":0,"created-at":"2021-12-10T00:09:26.231051","actor":"54973439:general-dev","summary":{"Description":"User attempted to create a new role and received error code AccessDenied. This could be an indicator of a compromised account","IP":{"10.10.10.77":2},"Time Range":[{"count":2,"start":"2021-12-09T23:10:10Z","end":"2021-12-09T23:11:50Z"}],"Source ARN":"arn:aws:sts::1234567890:assumed-role/sandbox-general-dev","Record Count":1,"Location":{"us-east-1":2},"Event Count":2,"Events":{"CreatePolicy":{"count":1,"ISP":{"ISPCOMPANY":1},"Error Code":{"AccessDenied":1}},"CreateRole":{"count":1,"ISP":{"ISPCOMPANY":1},"Error Code":{"AccessDenied":1}}},"recipientAccountId":{"1234567890":2}},"trigger":{"rule-arn":"arn:aws:macie:us-west-2:1234567890:trigger/1234567890","alert-type":"basic","created-at":"2021-12-06 16:31:23.427000+00:00","description":"User attempted to create a new role and received error code AccessDenied. This could be an indicator of a compromised account","risk":0}}}
Sample Parsing¶
metadata.event_timestamp = "2021-12-10T00:09:26Z"
metadata.event_type = "GENERIC_EVENT"
metadata.product_version = "0"
metadata.product_event_type = "Macie Alert"
metadata.description = "User attempted to create a new role and received error code AccessDenied. This could be an indicator of a compromised account"
metadata.ingested_timestamp = "2021-12-10T00:31:32.009239Z"
principal.user.userid = "54973439:general-dev"
principal.ip = "10.10.10.77"
principal.asset.ip = "10.10.10.77"
target.asset.location.country_or_region = "us-west-2"
observer.hostname = "aws.macie"
security_result.category_details = "Privilege Escalation"
security_result.category_details = "Basic Alert"
security_result.summary = "Access Denied from Create Role"
security_result.severity = "INFORMATIONAL"
security_result.url_back_to_product = "https://website.com"
security_result.rule_id = "1e5ec90a-2fb8-b34e-531f"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon