🕳️
The Cyber Security Library
  • The Library
  • Offensive Security
    • Solar, Exploiting log4j
      • Reconnaissance
      • Discovery
      • Proof of Concept
      • Exploitation
    • Basic Authentication Bypass
      • Username Enumeration
      • Brute Force
      • Logic Flaw
      • Cookie Tampering
    • Insekube
      • Recon with Nmap
      • Checking out the web address
      • Creating a Reverse shell
      • Inside the Kubernetes pod
      • CVE-2021-43798
    • Snort
      • What is Snort? (For the uninitiated)
      • Task exercise
      • Traffic Generator
      • Brief overview of IDS and IPS
      • Checking Snort
      • Snort Sniffer mode
      • Packet Logger mode
    • Runtime Detection Evasion
      • Learning Objectives of AMSI
      • Runtime detections
      • AMSI Overview
      • AMSI Instrumentation
      • Powershell Downgrade
      • Powershell Reflection
      • Patching AMSI
    • Red team recon using OSINT
      • Taxonomy of Reconnaissance
      • Built-in tools
      • Advanced Searching
      • Specialized Search Engines
  • Malware
    • Introduction to Malware Analysis
      • What are the different types of malware analysis
      • Doing different types of analysis
      • Anti analysis techniques
    • Ransomeware: Maze
    • Exploring Steganography
    • Simple Trojan with Python
      • The Python Trojan
      • Breaking down the python code
  • Vulnerability Management
    • Nessus
      • Introduction
      • Nessus Essentials
      • Scans
      • Authenticated Scans
      • Results
      • Running custom scans
  • Cloud
    • AWS
      • AWS CDK: Deploy and using amazon SQS Que from Repo
        • Node modules and Bootstrapping troubleshooting
        • Sending and Receiving information from the stack
        • Destroying the stack and cleaning up
      • Using Different AWS Services with Splunk
        • AWS Config
          • How Does Config work?
          • How to enable Config
          • Settings
          • Aggregation
          • Creating Config Resource
          • Creating Aggregator
          • Adding Rules
        • CloudTrail
          • What is CloudTrail?
          • Features of CloudTrail
          • Benefits of CloudTrail
          • CloudTrail Event History
          • Securing CloudTrail
        • EventBridge
          • Configuring EventBridge and Event Patterns
          • EventBridge Targets
        • CloudWatch
          • The CloudWatch Dashboard
            • Virtual Machine
          • CloudWatch Alarms and Metric Filters
            • Searching logs using metric filters
            • CloudWatch Alarms
          • CloudWatch CIS Alarms
            • SNS
        • Configuring VPC Flow Logs
          • An introduction to VPC flow logs
        • Automating Incident Response with EventBridge
          • Creating Lambda functions
        • CloudTrail SIEM Integration (Splunk)
          • AWS architecture for integrating with Splunk
      • AWS DevOps EBS Volumes
        • CloudWatch
        • EBS Volume
        • Lambda
      • EKS Creating a deployment with AWS in the command Line
        • Setting up AWS Cloud9
        • Creating a Cluster
        • Creating Deployment
      • How to CloudShell SSH in to ec2 Instances
    • Azure
      • Worker CTF (Azure DevOps)
        • Enumeration
        • Using SVN
        • Exploring the Domain
        • Cracking Azure DevOps console
      • Software development environments and Azure DevOps pipeline abuse
        • Accessing Azure Devops
        • Exploring Project Pages
  • Splunk
    • Splunk SIEM Integration
      • AWS architecture for integrating with Splunk
    • Splunk Threat Hunting Ep.6 Credential Access
  • DevOps
    • Using AWS, Docker, Jenkins and SonarQube to improve code quality
      • Updating the Cloud Instance and Getting Docker
      • Installing SonarQube
      • Creating Jenkins Server
      • Manaing SonarQube and Jenkins
    • Creating a Codebuild project and getting the output with CloudWatch Logs
      • IAM
      • CodeBuild
  • CTF's
    • THM Wonderland
      • Nmap and Gobuster
      • Entering Wonderland
      • Privilege Escalation
    • Healthcare OpenEMR system -THM Plotted EMR
      • Recon with Nmap
      • Exploring the ports found
      • Gobuster
      • Searchsploit Open emr
    • Steam Cloud CTF Exploiting Kubernetes
      • SteamCloud Privilege Escalation
    • THM Flatline CTF
      • Recon with Nmap
      • Searchsploit for freeswitch
      • Using the exploit
      • Escalating my privileges
      • Gaining access inside the Windows RDP
    • Biteme CTF
      • Recon
      • Looking into the PHP code and decoding hexadecimal
      • Python script and Bash script
      • Bruteforcing MFA Code
      • Trying to gain access via SSH
      • Inside SSH
      • Fail2ban Privilege Escalation
    • Devoops CTF
      • Enumeration
      • Exploiting Web Page
      • Creating Python exploit
    • GoBox CTF
      • Enumeration
      • Using Burpsuite and creating Reverse shell
    • Explore: Android Box
      • Enumeration
      • Initial foothold
      • Privilege escalation
Powered by GitBook
On this page
  1. Cloud
  2. AWS
  3. Using Different AWS Services with Splunk

EventBridge

PreviousSecuring CloudTrailNextConfiguring EventBridge and Event Patterns

Last updated 1 year ago

What is EventBridge?

EventBridge receives events from sources such as AWS services or third-party applications. A serverless event bus evaluates the data against sets of rules, and then – provided that the data matches a rule – forwards it in real-time to other AWS services, event buses, HTTP endpoints, or SaaS applications.

This primarily enables the construction of event-driven applications, but more importantly, from a security perspective, it enhances monitoring and auditing capabilities and allows for automated incident response.

How does it work?

Changes are constantly occurring in your AWS environment, whether user-driven or part of natural lifecycles. A user may upload an object to an S3 bucket, or an auto-scaling group may launch an EC2 instance.

These changes generate events, and most AWS services send these events to your default event bus in EventBridge. Events can also be sent from external applications and event buses in other AWS regions or accounts. Wherever they come from, all events are sent through an event bus.

Each event bus is simply a separate pipeline that receives events. The bus evaluates each event against an associated set of rules, where a rule might say “match any event logging an API call with the s3:CreateBucket operation”. If the event matches a rule, the bus forwards the event data to targets.

A default event bus is automatically enabled in each region, and AWS services send default events to the bus at no extra cost. Rules and delivery are also free. Even with additional functionality enabled, EventBridge is still cheap; it costs $1 USD for every million custom events published to your bus or sent to another bus. You can find more information on EventBridge pricing here.

The diagram below highlights the process:

  1. An AWS service, an AWS partner, or an event bus in another account or region sends an event to a bus.

  2. The bus compares the event against sets of rules.

  3. If the event matches a rule, the event data is forwarded to targets such as another AWS service or an API endpoint.

Features of EventBridge

Many of EventBridge’s core features focus on building event-driven applications from a development and operational perspective; however, there are some core security features that are also worth considering:

  • Availability – the underlying infrastructure for EventBridge buses is handled by AWS. By default, it’s scalable, highly available, and fault-tolerant, meaning monitoring tools can rely on it.

  • Event archive – the event archive stores event data for replay at a later date. This can be useful when debugging issues and auditing.

  • Event forwarding – the option to forward events to other buses allows for centralized monitoring, while the ability to stream data through to other AWS services like Lambda or SNS enables automated responses to operational changes in your AWS environment.

  • Compliance – EventBridge adheres to the GDPR, ISO, and DoD standards, along with many others, so can be integrated into your systems while remaining compliant.

Benefits of EventBridge

EventBridge enables monitoring of API calls and operational changes to your AWS estate. Some of the core benefits include:

  • Monitoring – it’s important to maintain insight into changes in your resources, identify failures, and detect malicious activity. By streaming data on operational changes in your AWS estate, EventBridge boosts monitoring capabilities.

  • Centralization – further to the above, EventBridge offers centralization of monitoring across regions and accounts, with the option to forward events to a central bus. HTTP endpoint support means events can also be forwarded to external SIEM tools for alerting.

  • Privacy and encryption – EventBridge supports VPC endpoints, and data is encrypted in transit with TLS 1.2, meaning that sensitive event data can be forwarded securely across AWS.

  • Auditing – event buses can be monitored by CloudWatch metrics, which can report on how often an event matches a rule. This enables auditing across longer time frames to identify patterns of behavior.

  • Incident response – real-time streaming of events to other AWS services can expedite the incident response process. For example, events forwarded to SNS could notify an operator of unexpected behavior, or a Lambda function could be triggered to automatically remediate an issue.

Page cover image
  • What is EventBridge?
  • How does it work?
  • Features of EventBridge
  • Benefits of EventBridge