Created
November 10, 2021 14:08
-
-
Save joswr1ght/081cd79e19427b210efe565784ba08c8 to your computer and use it in GitHub Desktop.
ctsummarize: Create Multiple Output Files From CloudTrail Activity for Analysis
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
REQUIREDUTILS="jq zcat mktemp sort uniq rm" | |
# Run program and test exit status to ensure success | |
function runtst { | |
"$@" | |
local status=$? | |
if (( status != 0 )); then | |
echo "error running command" >&2 | |
fi | |
return $status | |
} | |
cmdexists() { | |
if [ $(type -P $1) ]; then | |
return 0 | |
fi | |
return 1 | |
} | |
# Main | |
echo "ctsummarize: create multiple output files from CloudTrail activity for analysis" | |
for util in $REQUIREDUTILS; do | |
if ! cmdexists $util; then | |
echo "The utility $util is not available. Please install before using this script." | |
exit 1 | |
fi | |
done | |
# Check command line arguments | |
if [ "$#" -lt 3 ] ; then | |
echo "Usage: $0 [ipaddress] <cloudtrail log files>" | |
exit | |
fi | |
ATTACKERIP=$1 | |
shift | |
echo "Creating analysis extracts using attacker IP $attackerip from CloudTrail files." | |
JSONMERGE="$(mktemp)" | |
#echo $JSONMERGE | |
# Decompress and merge JSON files for attacker IP | |
runtst zcat $@ | jq ".Records[] | select(.sourceIPAddress==\"$ATTACKERIP\")" >$JSONMERGE | |
# With the attacker activity in $JSONMERGE, run several queries to obtain useful extract information | |
# in different formats. The use of sort is to preserve date/time order, which CloudTrail logs | |
# do not do | |
## Event Summary | |
### Limit user agent to the first 20 characters to keep the output legible | |
runtst echo "EventTime UserName AccessKeyId EventName \"UserAgent\" \"ErrorMessage\"" >eventsummary.txt | |
runtst cat $JSONMERGE | jq -jr '.eventTime, " ", .userIdentity.userName, " ", .userIdentity.accessKeyId, " ", .eventName, " \"", .userAgent[0:20], "\" \"", .errorMessage, "\"\n"' | sort >>eventsummary.txt | |
runtst echo "EventTime,UserName,AccessKeyId,EventName,ErrorMessage" >eventsummary.csv | |
runtst cat $JSONMERGE | jq -r '[ .eventTime, .userIdentity.userName, .userIdentity.accessKeyId, .eventName, .userAgent[0:24], .errorMessage ] | @csv' | sort >>eventsummary.csv | |
## User Agent | |
runtst cat $JSONMERGE | jq -r '.userAgent' | sort | uniq -c >useragent.txt | |
## Access Keys Used | |
runtst cat $JSONMERGE | jq -r '.userIdentity.accessKeyId' | sort | uniq -c >accesskeys.txt | |
### Write events (readOnly==fals) | |
runtst cat $JSONMERGE | jq -r 'select(.readOnly==false)' >writeevents.json | |
rm $JSONMERGE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment