🕳️
The Cyber Security Library
  • The Library
  • Offensive Security
    • Solar, Exploiting log4j
      • Reconnaissance
      • Discovery
      • Proof of Concept
      • Exploitation
    • Basic Authentication Bypass
      • Username Enumeration
      • Brute Force
      • Logic Flaw
      • Cookie Tampering
    • Insekube
      • Recon with Nmap
      • Checking out the web address
      • Creating a Reverse shell
      • Inside the Kubernetes pod
      • CVE-2021-43798
    • Snort
      • What is Snort? (For the uninitiated)
      • Task exercise
      • Traffic Generator
      • Brief overview of IDS and IPS
      • Checking Snort
      • Snort Sniffer mode
      • Packet Logger mode
    • Runtime Detection Evasion
      • Learning Objectives of AMSI
      • Runtime detections
      • AMSI Overview
      • AMSI Instrumentation
      • Powershell Downgrade
      • Powershell Reflection
      • Patching AMSI
    • Red team recon using OSINT
      • Taxonomy of Reconnaissance
      • Built-in tools
      • Advanced Searching
      • Specialized Search Engines
  • Malware
    • Introduction to Malware Analysis
      • What are the different types of malware analysis
      • Doing different types of analysis
      • Anti analysis techniques
    • Ransomeware: Maze
    • Exploring Steganography
    • Simple Trojan with Python
      • The Python Trojan
      • Breaking down the python code
  • Vulnerability Management
    • Nessus
      • Introduction
      • Nessus Essentials
      • Scans
      • Authenticated Scans
      • Results
      • Running custom scans
  • Cloud
    • AWS
      • AWS CDK: Deploy and using amazon SQS Que from Repo
        • Node modules and Bootstrapping troubleshooting
        • Sending and Receiving information from the stack
        • Destroying the stack and cleaning up
      • Using Different AWS Services with Splunk
        • AWS Config
          • How Does Config work?
          • How to enable Config
          • Settings
          • Aggregation
          • Creating Config Resource
          • Creating Aggregator
          • Adding Rules
        • CloudTrail
          • What is CloudTrail?
          • Features of CloudTrail
          • Benefits of CloudTrail
          • CloudTrail Event History
          • Securing CloudTrail
        • EventBridge
          • Configuring EventBridge and Event Patterns
          • EventBridge Targets
        • CloudWatch
          • The CloudWatch Dashboard
            • Virtual Machine
          • CloudWatch Alarms and Metric Filters
            • Searching logs using metric filters
            • CloudWatch Alarms
          • CloudWatch CIS Alarms
            • SNS
        • Configuring VPC Flow Logs
          • An introduction to VPC flow logs
        • Automating Incident Response with EventBridge
          • Creating Lambda functions
        • CloudTrail SIEM Integration (Splunk)
          • AWS architecture for integrating with Splunk
      • AWS DevOps EBS Volumes
        • CloudWatch
        • EBS Volume
        • Lambda
      • EKS Creating a deployment with AWS in the command Line
        • Setting up AWS Cloud9
        • Creating a Cluster
        • Creating Deployment
      • How to CloudShell SSH in to ec2 Instances
    • Azure
      • Worker CTF (Azure DevOps)
        • Enumeration
        • Using SVN
        • Exploring the Domain
        • Cracking Azure DevOps console
      • Software development environments and Azure DevOps pipeline abuse
        • Accessing Azure Devops
        • Exploring Project Pages
  • Splunk
    • Splunk SIEM Integration
      • AWS architecture for integrating with Splunk
    • Splunk Threat Hunting Ep.6 Credential Access
  • DevOps
    • Using AWS, Docker, Jenkins and SonarQube to improve code quality
      • Updating the Cloud Instance and Getting Docker
      • Installing SonarQube
      • Creating Jenkins Server
      • Manaing SonarQube and Jenkins
    • Creating a Codebuild project and getting the output with CloudWatch Logs
      • IAM
      • CodeBuild
  • CTF's
    • THM Wonderland
      • Nmap and Gobuster
      • Entering Wonderland
      • Privilege Escalation
    • Healthcare OpenEMR system -THM Plotted EMR
      • Recon with Nmap
      • Exploring the ports found
      • Gobuster
      • Searchsploit Open emr
    • Steam Cloud CTF Exploiting Kubernetes
      • SteamCloud Privilege Escalation
    • THM Flatline CTF
      • Recon with Nmap
      • Searchsploit for freeswitch
      • Using the exploit
      • Escalating my privileges
      • Gaining access inside the Windows RDP
    • Biteme CTF
      • Recon
      • Looking into the PHP code and decoding hexadecimal
      • Python script and Bash script
      • Bruteforcing MFA Code
      • Trying to gain access via SSH
      • Inside SSH
      • Fail2ban Privilege Escalation
    • Devoops CTF
      • Enumeration
      • Exploiting Web Page
      • Creating Python exploit
    • GoBox CTF
      • Enumeration
      • Using Burpsuite and creating Reverse shell
    • Explore: Android Box
      • Enumeration
      • Initial foothold
      • Privilege escalation
Powered by GitBook
On this page
  1. Cloud
  2. AWS
  3. Using Different AWS Services with Splunk
  4. Automating Incident Response with EventBridge

Creating Lambda functions

PreviousAutomating Incident Response with EventBridgeNextCloudTrail SIEM Integration (Splunk)

Last updated 1 year ago

This lab does not aim to cover all aspects of Lambda functions, but you'll need to know the basics of configuring and testing a function. By navigating to the Functions section of the Lambda console and clicking on a function’s name, you can view details of the function and configure it.

This lab does not aim to cover all aspects of Lambda functions, but you'll need to know the basics of configuring and testing a function. By navigating to the Functions section of the Lambda console and clicking on a function’s name, you can view details of the function and configure it.

The Lambda console includes an inline code editor – in this lab, you'll need to use this to change the provided malicious-IP-denier function.

Note: When changing a function, you must Deploy any changes for them to take effect, before you can Test them. Use the buttons at the top of the Code source window.

You should use the example event provided on the lab desktop as the test event’s JSON. You can then view the execution results, which should look like the following if your function is correct:

SNS topics and subscriptions

While SNS is not the primary focus of this lab, you'll need to know some SNS basics to complete the tasks. By navigating to the Topics section of the SNS console and clicking on a topic’s name, you can view details of the topic and create a subscription for it.

When creating a subscription, you need to choose the protocol. The protocol is the type of endpoint that notifications will be sent to (email, SMS, HTTP). You then need to provide the endpoint itself, such as a specific phone number or URL.

I will take you through how to integrate Eventbridge with AWS services such as Lambda and SNS to automate and expedite the incident response process.

AWS GuardDuty takes up to five minutes to generate a finding and send an event to EventBridge once it detects malicious activity. In this lab, we've generated some realistic fake GuardDuty Finding events, so you don’t have to wait around. These events come from a metrolio.guardduty source, which is why you need to change the event pattern for the fourth activity. In reality, your EventBridge rule would use an event pattern like that required to complete the third activity.

The GuardDuty findings show an EC2 instance being connected to from IP addresses that you've flagged as malicious. Network ACLs can be applied to the subnet that an EC2 instance is in to block traffic from certain IP addresses, and the malicious-IP-denier lambda function in this lab creates new ACL entries to deny each malicious IP address reported in the events that it receives.

You can view all network ACLs by navigating to the VPC console and then Network ACLs, under Security in the left-hand sidebar. Clicking on a network ACL’s ID will show you the inbound rules for a network ACL

Use the inline code editor to edit the malicious-IP-denier Lambda function so that it retrieves any malicious remote IP addresses from events it receives. The Lambda function then blocks the IP address using a network ACL.

TBC