Onboarding an AWS Account with CDR

What is CDR?

Cloud Detection and Response (CDR) is a near real-time, event-driven suite of detections which generate findings in Plerion. These detections can be integrated with Plerion Workflows for user-configurable alerting.

How do you enable it?

To enable CDR you must ensure that you are logged in to a tenant which has an AWS Account integration.

Once logged-in, use the left-hand-side menu and navigate to Tenant Settings > Integrations > AWS Cloud Detection and Response and click the + icon in the upper right-hand-side of the tile.

From the list of integrated AWS accounts, select one or more accounts you wish to connect Plerion CDR to and click Add Integration(s).

After the Add Integration(s) step completes successfully, you will see a set of steps that will guide you through setting up CDR using CloudFormation StackSets in the AWS console for the following scenarios:

  • Single account, multi-region
  • Multi-account, multi-region

Please see Multi-Account, Multi-Region note below for more information.

Single Account, Multi-region Onboarding

Prior to creating the AWS CloudFormation StackSet following the instructions below, please ensure that following roles have been created as per the instructions here (opens in a new tab)

  • AWSCloudFormationStackSetAdministrationRole
  • AWSCloudFormationStackSetExecutionRole

Access StackSets in AWS Console

Sign in to the AWS Account you wish to deploy Cloud Detection and Response into using AWS Console Navigate to CloudFormation StackSets and click Create To learn more about Cloudformation StackSets visit this page (opens in a new tab)

Please note that apart from the S3 URL and the Parameters provided by Plerion, the rest of the config for the StackSet can be selected based on the user's preference. For deployment region in the next steps, you can select any regions where you would like to deploy Cloud Detection and Response. For more details on each of these configs, please refer to AWS official Getting Started with StackSets Guide.

Choose a Template

Permissions

  • For IAM admin role ARN Select IAM role name and then select AWSCloudFormationStackSetAdministrationRole
  • For IAM execution role name select AWSCloudFormationStackSetExecutionRole
  • For Prerequisite - Prepare template - Select Template is ready
  • For Specify template - Select Amazon S3 URL as the Template Source
  • Paste in the S3 URL provided

you will be shown a pre-signed URL which you can copy and paste into the AWS console

Specify StackSet details

  • Enter the StackSet Name provided and optionally the StackSet Description

Configure StackSet options

  • Optionally set Tags for the StackSet
  • Selecting either one of Inactive or Active here would work successfully. Active is chosen so that StackSets performs non-conflicting operations concurrently and queues conflicting operations

Set deployment options

  • For Add stacks to stack set - Select Deploy new stacks
  • For Accounts - Select Deploy stacks in accounts and enter the Account ID for the currently selected account
  • For Specify regions, select each region you wish to deploy Cloud Detection and Response into
  • (Optional) For Deployment options,
    • Select Maximum concurrent accounts as 1
    • Select Failure tolerance - optional as 0
    • Region Concurrency as Parallel

Review

  • Review the configuration
  • Check the box - I acknowledge that AWS CloudFormation might create IAM resources.
  • Click Submit

Stacks will be created in the AWS regions selected

Once the stacks have completed successfully, the created resources will begin to send events to Plerion for monitoring

Multi-Account, Multi-Region

Currently, Plerion CDR does not support multi-account onboarding for integrations that include your AWS management account. Please contact support@plerion.com if you wish to onboard your AWS management account to Plerion CDR.

Choose a template

  • Navigate to CloudFormation - StackSets - Create StackSet
  • For Permissions select Service Managed Permissions
  • Prerequisite - Prepare Template select Template is ready
  • For Specify template - Template source select Amazon S3 URL and copy & paste the Amazon S3 URL provided
  • Click Next

Specify StackSet Details

  • Enter the StackSet name provided.
  • Optionally add a StackSet Description
  • Click Next

Configure StackSet options

  • Optionally Add Tags to StackSet resources
  • For Execution configuration selecting either one of Inactive or Active would work successfully. Active is chosen so that StackSets performs non-conflicting operations concurrently and queues conflicting operations.
  • Click Next

Set deployment options

  • Select Deploy new stacks
  • For Deployment targets select Deploy to organizational units (OUs)
  • In the AWS OU ID field, enter the name of an OU which contains all the accounts you wish to integrate. Note: this may require selection of multiple OUs or the Root OU.
  • For Account filter type - optional select Intersection
  • Copy and paste the Account numbers from the box provided
  • For Auto-deployment options set Automatic deployment to Deactivated
  • Specify regions that you would like to deploy CDR into
  • Optionally specify Deployment options
  • Select Next

Review

  • Finally, review the StackSet configuration and check the Capabilities acknowledgment and click Submit

How do you configure Workflows to use CDR?

CDR detection behave in the same way as other detections within Plerion. When a detections rules are met, CDR will generate a finding in the Finding Dashboard. This means that all CDR findings can have workflow actions configured for them. To configure a workflow action:

  • Use the left-hand-side navigation to go to: Tenant Settings > Workflows. From here you may decide to either create a new workflow or modify an existing one.
  • From the workflow form, complete the following:
    • Name
    • Description
    • Enabled
    • Condition > Add Finding Condition - as mentioned above, CDR generates a finding therefore this option much be selected. Each of the CDR findings can be identified by their detection ID which will follow the format PLERION-CLOUDTRAIL-[detection number here]. Select one or more detections.
    • Actions - select the action you wish to perform when CDR generates a finding. By default, an Alert will be generated on the Plerion alerts dashboard.

What do you do if you get an Alert/Finding?

Findings and Alerts generated by CDR are not expired/removed from Plerion dashboards by default. Each of the findings must be suppressed manually by a user. To perform this action:

Navigate to the Findings Dashboard and in the Detection filter type PLERION-CLOUDTRAIL- and select all detections you wish to suppress.

Select each finding and on the contextual view window select Suppress. This action will dismiss the finding and any corresponding alerts.

If you wish to see previously suppressed findings you may select the Suppressed filter and set the value to True

List of detections

PLERION-CLOUDTRAIL-3 - Detect a successful login to the AWS Management Console by the Root user

PLERION-CLOUDTRAIL-5 - Detect a successful AWS console login

PLERION-CLOUDTRAIL-7 - Detect an AWS Config rule deletion

PLERION-CLOUDTRAIL-8 - Detect an AWS Config change to stop recording

PLERION-CLOUDTRAIL-9 - Detect the deletion of an AWS CloudTrail trail

PLERION-CLOUDTRAIL-10 - Detect suspending the recording of AWS API calls and log file delivery

PLERION-CLOUDTRAIL-12 - Detect an update to an AWS CloudTrail setting that specifies the delivery of log files

PLERION-CLOUDTRAIL-15 - Detect an unauthorized AWS API call

PLERION-CLOUDTRAIL-25 - Detect the deletion of an Amazon GuardDuty detector

PLERION-CLOUDTRAIL-32 - Detect the deletion of flow logs

PLERION-CLOUDTRAIL-33 - Detect the deletion of a Web Application Firewall v2 (WAFv2) access control list

PLERION-CLOUDTRAIL-34 - Detect the deletion of a Web Application Firewall v2 (WAFv2) rule or rule group

PLERION-CLOUDTRAIL-59 - Detect the deletion of a Web Application Firewall v1 (WAFv1) access control list

PLERION-CLOUDTRAIL-60 - Detect the deletion of a Web Application Firewall v1 (WAFv1) rule or rule group

PLERION-CLOUDTRAIL-61 - Detect the detaching of a WAF from CloudFront

PLERION-CLOUDTRAIL-62 - Detect the detaching of a WAF from API Gateway

PLERION-CLOUDTRAIL-63 - Detect the detaching of a WAF from ALB

PLERION-GUARDDUTY-1 - Amazon GuardDuty Finding Created

PLERION-MACIE-1 - Amazon Macie Finding Created

PLERION-ACCESSANALYZER-1 - AWS IAM Access Analyzer Finding Created

PLERION-CLOUDTRAIL-68 - Detect attempts to remove event selectors in CloudTrail

PLERION-CLOUDTRAIL-70 - Detect attempts to leave the AWS Organization

PLERION-CLOUDTRAIL-71 - Detect attempts to update user data of an EC2 instance

PLERION-CLOUDTRAIL-72 - Detect attempts to exfiltrate AMI by sharing it

PLERION-CLOUDTRAIL-73 - Detect attempts to exfiltrate EBS snapshot by sharing it

PLERION-CLOUDTRAIL-74 - Detect attempts to exfiltrate RDS snapshot by sharing it

PLERION-CLOUDTRAIL-75 - Detect attempts to change MFA settings for an IAM User

PLERION-CLOUDTRAIL-76 - Detect the creation of new IAM user access keys

PLERION-CLOUDTRAIL-77 - Detect attempts to disable Amazon Macie

PLERION-CLOUDTRAIL-78 - Detect attempts to delete IAM Access Analyzer

PLERION-CLOUDTRAIL-79 - Detect attempts to export an EC2 instance

PLERION-CLOUDTRAIL-80 - Detect attempts to export an RDS Aurora database snapshot

PLERION-CLOUDTRAIL-81 - Detect attempts to remove transfer lock from a Route 53 domain

PLERION-CLOUDTRAIL-82 - Detect attempts to transfer a Route 53 domain to another account

PLERION-CLOUDTRAIL-83 - Detect IAM password recovery requests

How do you disable CDR?

To remove CDR completely, follow these three steps:

Remove conditions from Workflow - If there are workflows created which run on the creation of a CDR finding, select them from the workflows list and select Delete to remove them.

Delete integration - navigate to Tenant Settings > Integrations and select the X active integration(s) option at the bottom of the tile. Select the CDR integration you wish to remove and in the upper right-hand corner of the integration page click the trash can icon to remove the integration.

Delete the CloudFormation stack - In the AWS Account you had connected to Plerion, navigate to CloudFormation and search for cdr. Locate the Plerion CDR CloudFormation stack for the list, click the radio button and click Delete button from the top-right of the page.

CDR Data Lifecycle

The lifecycle of data generated by a CDR integration is automatically managed, ensuring only the most timely information is retained and stale data is removed. The following lifecycle rules are currently in effect:

  1. Findings: All findings generated by a CDR integration (PLERION-CLOUDTRAIL-X) are permanently deleted when their First Observed date equals or exceeds 90 Days.
  2. Event History: Events displayed in the Principal History contextual view tab of a CDR-generated finding are permanently deleted when the age of the event exceeds 90 Days.
Updating AWS Account IntegrationProvide Plerion Access to KMS Keys