NAV

Overview

The Evident Security Platform (ESP) enables organizations of all sizes to proactively manage cloud security risk — minimizing attack surface and improving overall security posture, all from a single dashboard.

Signature Definition

A signature is an automated validation of best security practices against the resources on your AWS account. Multiple alerts may be generated from a single signature if the validation fails across multiple resources.

Custom Signature Definition

A custom signature is an automated validation against a defined non­standard best practice. An alert is generated when this validation fails or the signature judges that there is a potential security risk. A custom signature is used when the default best practice protocols are insufficient for a specific need. For example, if you wanted to ensure that each of your EC2 instances was tagged with information for your accounting department, you could write a custom signature to do this. For information on creating a custom signature, read our custom signature wiki.

Alert Definition

An alert is a potential risk identified by either a signature or a custom signature and collected in a report. ESP continually scans all of your assigned AWS business resources and collects all alerts into an easy-to-read aggregated report. This allows you and your security team to review all available information about your assets and to make an informed decision about the necessary steps to remediate them as needed.

Alert Status

ESP Alert Status

ESP prioritizes every alert generated with a status to quickly convey information about it:

Alert Severity

Every alert generated is placed into a severity level category designed to help you prioritize resources to address identified risks.

Each alert is tagged with a specific severity status indicating:

Requirements

Browser Support

Evident Security Platform supports the following browsers:

We support the latest version of Google Chrome (which automatically updates whenever it detects that a new version of the browser is available). We support the current and previous major releases of Firefox®, Safari®, and Microsoft® Edge™ on a rolling basis. Each time a new version is released, we begin supporting that version and stop supporting the third most recent version.

Security and Compliance

For questions about Evident.io's security and compliance, please send your VRA to security@evident.io.

Updates

July 11, 2018

The following updates are scheduled to take effect on the Evident service on 7/11/2018:

Enhancements

Bugs


May 30, 2018

The following updates will take effect in the Evident Management Console on 5/30/2018:

Enhancements

Bug Fixes


May 23, 2018

The following updates will take effect in the Evident Management Console on 5/23/2018:

Enhancements

Reference links to customizing signatures:

Onboarding AWS

To onboard with the Evident Security Platform service, complete the following steps.

Step 1: Create an Account with Evident Security Platform

  1. Go to the Evident Security Platform (https://esp.evident.io).
  2. Click Sign up.

    Set Up Your Evident.io Account

  3. Enter the appropriate information into the appropriate fields.
  4. Click Sign Up.

Step 2: Create Role and Cross-Account Access (AWS Identity / ARN):

To sync your accounts:

  1. Log into your Amazon Management Console (https://console.aws.amazon.com/ ).

    Instructions for ESP GOV Users

    AWS GovCloud's URL is https://console.amazonaws-us-gov.com

  2. On the AWS Services page, select the IAM service.
  3. Select Roles on the left menu.
  4. Click Create New Role.
  5. Select the radio button Role for Cross-Account Access.
  6. Select Allows IAM users from a 3rd party AWS account to access this account.
  7. Enter the Account ID of our service.  This number will be provided by ESP.
  8. Enter the External ID field of the AWS dialog box. The External ID is dynamically generated just for you. Refreshing this page will generate a new External ID.
  9. Verify that Require MFA is not enabled. Click Next Step.
  10. Select the SecurityAudit policy from Amazon's pre-configured policies. Click Next Step.
  11. ESP recommends that you name the role Evident-Service-Role. Click Create Role.
  12. Click the Role. Copy the Role ARN string.
  13. Return to ESP and paste the Role ARN into the ARN field.
  14. Enter the appropriate information into the remaining fields.
  15. Click Submit.

Step 3: Connect Your AWS Account to ESP

Connect Your AWS Account to ESP

  1. Enter the Amazon Resource Name (ARN) for your Amazon Web Service into the appropriate field.
  2. Enter the External ID into the appropriate field.
  3. Enter a name for this resource into the appropriate field.
  4. Click Submit to continue. You will receive a notification that ESP is building your account and populating it with data.


Azure Onboarding Documentation Suite

Evident.io is pleased to invite you to our new Azure program for ESP - Azure edition.

The Evident Security Platform leverages Azure Activity Log export utility to provide a real time, event driven system. ESP scans Azure resources based on current activity to provide accurate and timely alerts.

Here are couple of notes about the examples and terms you’ll find in this document:

Azure Onboarding Documents

To setup and connect Azure Function to the Evident Security Platform, you’ll need to complete the following documents in order:

  1. Defining your Azure Service Principle and Setting Up Your Active Directory
  2. Onboarding Your Azure Service to ESP: External Account Setup
  3. Export Activity Logs to a Storage Account via Azure Portal UI
  4. Storage Account Function trigger via Azure Portal UI
  5. Onboarding Your Azure Function

Onboarding Azure Service Principal

A service principal object defines the policy and permissions for an application's use in a specific tenant, providing the basis for a security principal to represent the application at run-time.

This walkthrough will help you define the required policy and permissions required to connect your resources to Evident Security Platform.

To complete this process, Azure setup requires administrator privileges. Please log into your Azure portal as an administrator to perform setup.

The following roles will be granted to Service Principal by this process:

  1. Reader - Read access to all resources
  2. Storage Account Key Operator Service Role - Access to Storage account vaults
  3. AAD permissions - as described in Step 5

For more information, see Microsoft: Azure: Role-based Access.

This walkthrough was inspired by the Azure Resource manager example.

Note: All references in this document to “app” refers to the resource Service Principal Application.

For more information about Azure Service Principal, see the following documentations:

  1. Microsoft: Integrating applications with Azure Active Directory
  2. Microsoft: Application and service principal objects in Azure Active Directory (Azure AD)

Evident Security Platform requires the definition of four critical service principal objects in your Azure account. This walkthrough helps you locate and define the following service principal objects:

Step One: Locate Subscription ID

  1. Navigate to the Subscriptions blade via the Search filter.
  2. Find the exact subscription you wish to monitor with ESP and then look in the second column to locate the service’s Subscription ID. Save this information to a text editor in a secure location for later use when onboarding Azure for ESP.

Step Two: Locate Tenant ID

  1. Navigate to the Azure Active Directory blade via the Search filter.
  2. Click Properties. The Directory ID value listed at the bottom is your Tenant ID.

Step Three: App Registration

  1. Navigate to the Azure Active Directory blade.
  2. Click App Registrations.
  3. Select New Application Registration.
    1. Enter a descriptive name.
    2. Keep Application Type as “Web app/API”.
    3. Sign-on URL can be any valid URL (such as http://evident.io or http://localhost).
    4. Click Create to build the app.
    5. In the App Registrations blade, select the app you just created. The value for the Application ID will be listed as your Client ID on this screen.

Step Four: Create App Key and Retain Value

  1. Navigate to the Azure Active Directory blade.
  2. Click App registrations.
  3. Select the App you created in Step Three.
  4. Click Settings
  5. Click Keys.
  6. In the Keys blade, perform the following tasks:
    1. Enter ‘sdk’ as Key Description.
    2. Select the Never expires option for Duration.
    3. Click Save.

Note: This Key will be generated and shown to you only once. Copy down this key value to a text editor, such as Notepad, and save it in a secure location.

Step Five: Add Active Directory Permissions to your Azure Account

  1. Navigate to Active Directory in west navigation.
  2. Select App registrations.
  3. Select the App registered during Step Three.
  4. Click Required Permissions.
  5. Click Add.
  6. Click Select An API.
  7. Click Microsoft Graph.
  8. Enable (check) Read all users' full profiles under Delegated Permissions.
  9. Click Select.
  10. Click Done.
  11. Click Add.
  12. Select an API.
  13. Click Windows Azure Active Directory.
  14. Enable (check) Read all users' full profiles under Delegated Permissions.
  15. Click Select.
  16. Click Done.
  17. Click Grant Permissions.
  18. Select yes for the dialog box. Make sure your SP permissions now look like this:

Step Six: Access Control (IAM) setup for new app

  1. Navigate to the Subscriptions blade.
  2. Select the subscription you wish to monitor.
  3. Click Access Control (IAM).
  4. Click the Add button on the top to add a New Role.
  5. In the right pane, select Role Reader and the app that you registered in Step Three. We recommend that you use the Search field, because the Add Permissions blade displays only 2-5 members by default, depending on your screen resolution and browser window size.
  6. Click Save.
  7. Click the Add button on the top to add a New Role.
  8. In the right pane, select Role Storage Account Key Operator Service and the app that you registered in Step Three.
  9. Click Save.

Onboarding Your Azure Service to ESP: External Account Setup

Introduction

This walkthrough is designed to help you onboard your Azure Service onto the Evident Security Platform via setting up an External Account.

Step One: Setup an External Account.

  1. Log into Evident Security Platform.
  2. Go to Control Panel > External Account > New
  3. Click Azure.
  4. Click the play button to progress through the Azure Setup Wizard until you reach the Connect Your Azure Account Wizard
  5. Enter the Service Principal Objects you defined in Defining your Azure Service Principle and Setting Up Your Active Directory. Enter Account Name and select a Team.
  6. Click Create ESP External Account.
  7. Click Show Function. Copy and save this code for your Azure Function template. (This code will only be shown once.) You will use this code during setup process in Storage Account Function trigger via Azure Portal UI.

Export Activity Logs to a Storage Account via Azure Portal UI

Introduction

An activity log is bound at the subscription level and it can have one and only one default log profile.The walkthrough in this section will help you create a storage account to hold activity generated by the subscription. These steps will explain how to export the Activity Log to a storage account.

For more information about Azure Service Principal, see the following documentations:

Step One: Create the Storage Account

  1. Navigate to the Storage Account blade.
  2. Click Add and then fill out the form for new storage account.
    1. Account Kind is General Purpose.
    2. Deployment model is Resource manager.
    3. Performance is Standard.
    4. Replication is Read-access geo-redundant storage (RA-GRS).
    5. Secure Transfer Required is Enabled.
  3. Click Create to deploy the storage account.
  4. Record the Name of the storage account. This will be used in when you set up your Azure Function setup in Onboarding Your Azure Function.
  5. Navigate to the storage account you just created, and select Access Keys.
  6. Copy the Key1: Connection String into a text editor, such as Notepad, as we will use it later.

Step Two: Export the Activity log to the Storage account

  1. Navigate to the Activity Log blade.
  2. Click Export in top sub nav and select the subscription you are exporting logs for.
  3. Select all Regions, click the export to a storage account option, and click Select a Storage Account.
  4. Select the storage account you created above and then click OK.
  5. Set Retention (days) as 2 and then Click Save in the top nav of this blade to finish the log export deployment.

Storage Account Function trigger via Azure Portal UI

Introduction

Azure Functions is a solution for easily running small pieces of code, or "functions," in the cloud. Developers can create code needed for the specific problem at hand, without worrying about a whole application or the infrastructure to run it. Functions can make development even more productive, and you can use your development language of choice, such as C#, F#, Node.js, Python, or PHP. This section describes how to setup the Azure Function which will allow Activity Log events streaming to Evident Security Platform.

Note: All references to apps in this section reference the Azure Function. For more information about Azure Service Principal, see the following documentations:

Step One: Create Function App (container)

  1. Navigate to the App Services blade.
  2. Click Add.
  3. In the Filter Box, type “Function App” and select it from the List.
  4. Click Create.
  5. Fill out all fields shown in the lower-left corner.
    1. App name needs to be a unique sub-domain in 'azurewebsites.net'.  Please use the format: *-evident-esp-trigger-, e.g. 'WB01-evident-esp-trigger-01'.
    2. Subscription should be the default subscription type, e.g. 'Pay-As-You-Go'.
    3. Resource Group can be either a new one (default) or selected from the list.  
    4. Hosting Plan will change how the Consumption Plan will pay-per-execution and dynamically allocate resources based on your apps load.  App Service plan will use a predefined capacity allocation with more predictable costs and scale.
    5. Location can be set at the user's discretion.
    6. Storage can be set at the user's discretion, we advise to use Create New.
    7. Click Create.

Step Two: Custom Function Setup (in container)

  1. Navigate to the Function Apps blade.
  2. Expand the app you just created.
  3. Select Application Settings in the middle pane.
  4. Click Add New Setting in main pane.
  5. Enter a new setting: key: EspExportStorageAccount and value is the Connection String value from Export Activity Logs to a Storage Account via Azure Portal UI, step 1.3.
  6. Click Save in top nav to update app settings
  7. Select Functions in the left navigation bar.
  8. Click New function.
  9. Search for Language “JavaScript” and Scenario “Core”. Select BlobTrigger - Javascript.
  10. Enter Name for your function. The Storage account connection should have the setting EspExportStorageAccount available from step 2.5, and your Path will be insights-operational-logs/{default}.
  11. Click Create, and then the Function should Show the body of index.js.

Onboarding Your Azure Function

Introduction

Azure Functions is a solution for easily running small pieces of code, or "functions," in the cloud. Developers can create code needed for the specific problem at hand, without worrying about a whole application or the infrastructure to run it. Functions can make development even more productive, and you can use your development language of choice, such as C#, F#, Node.js, Python, or PHP.

Note: All references to apps in this section reference the Azure Function. For more information about Azure Service Principal, see the following documentations:

Step One: Azure Function Setup: JavaScript body for trigger

  1. Select the Function you created in Storage Account Function trigger via Azure Portal UI.
  2. Delete all default code.
  3. Copy the body of ESP Azure Function generated during Azure Account setup in Onboarding Your Azure Service to ESP: External Account Setup into the container.
  4. Click Save.
  5. Click on your app via the left navigation bar.
  6. Click Platform Features in the top menu.
  7. Select Console under Development Tools. This will open a terminal window that will provide a bash shell for the current Function App container where you will execute shell level commands.
  8. In the console window, execute the following commands:
    dir -> will show content of the directory, including your function name
    cd <name of function>
    npm init -y
    npm i request
    npm init -y : will create a node project (package.json) in the current directory.
    npm i request:  will install the node library request (https://github.com/request/request) so it will be available to the function script.
    Note: The “npm i request” command will show two warnings in the output result, these warnings can be ignored because they are related to function template properties.

Azure Onboarding Wizard

  1. Click Azure.

    Azure Onboarding Wizard

  2. Click portal.azure.com.
    Log into Azure with your account.

    Azure Onboarding Wizard

  3. Click Next.
  4. Subscription and Tenant ID
    1. Gather the following information and enter it into the appropriate fields:
      1. SUBSCRIPTION ID
      2. TENANT ID
    2. Click Next.

    Azure Onboarding Wizard

  5. Application ID and Key
    1. Follow the instructions on the wizard.
    2. Click Next.

    Azure Onboarding Wizard

  6. Application Permissions
    1. Follow the instructions on the wizard.
    2. Click Next.

    Azure Onboarding Wizard

  7. Click Create ESP External Account.
  8. ESP Account Setup

    Azure Onboarding Wizard

    1. Click Create ESP Account Setup
    2. Follow the instructions on the wizard.
    3. Click Next.
  9. Event Hubs and Logs

    Azure Onboarding Wizard

    1. Follow the directions on the wizard.
    2. Click Next.
  10. Function Code Deploy

    Azure Onboarding Wizard

    1. Follow the instructions on the wizard.
    2. Click Create.

Onboarding Azure CLI

Prerequisites

The following steps are required to prepare your Azure account and ESP account to work together.

  1. Ensure that your Azure account and subscription meets the following qualifications:
    1. Your Azure account must be a paid or pay as you go subscription. The free trial may not work. (For more information, see Microsoft: Switch your Azure subscription to another offer.)
    2. Your Azure subscription must be enabled for Microsoft Insight. Azure Portal Link
    3. Your must have owner permissions on your Azure subscription.
    4. You must have at least one resource group prebuilt and know the name for it inside of your Azure subscription. That will be where the script builds all the resources.
  2. Ensure that the following has been done on your ESP account:
    1. Azure Beta must be enabled on your ESP organization. If you do not have Azure Beta enabled, you will need to set up the Azure Beta for your test ESP. Note: Do not use the demolicious account.
    2. Ensure that you have generated the API keys.
    3. Create a team that will contain your Azure external account and record the numerical reference for that team. This is in the URL string if you edit the team.
  3. Get the zip file containing the needed scripts from the same:
    1. Open up the readme.md file and refer to it.
      1. On Windows machines, download and install node.js if you do not already have it - https://nodejs.org/en/download/
        1. To make sure it has some core dependencies, in an admin command prompt window, run the following two commands:
          1. npm install --global --production windows-build-tools
            
          2. npm install --global node-gyp
            
          3. Close the admin window
          4. Extract the zip file
            1. Open a terminal window or command prompt to the path you extracted the zip file to
      2. On Ubuntu Linux 17.04 machines, download and install Node 6.x via https://nodejs.org/en/download/package-manager/#debian-and-ubuntu-based-linux-distributions
        1. Ensure that ubuntu-dev-tools is installed, if not, run:
          sudo apt-get install ubuntu-dev-tools -y
          
        2. sudo apt-get install pkgconf -y
          
        3. sudo apt-get install libsecret-1-dev -y
          
        4. sudo npm install --global node-gyp
          
      3. On OSX machines, download and install Node.js via https://nodejs.org/en/download
  4. The next prerequisite depends on your operation system:
    1. For Windows: In the install portion of the file, heed these two steps from the directory where you extracted the file:
      1. npm i -g npm@5.2.0
        
      2. npm i
        
    2. For Ubuntu Linux 17.04: Run the following commands in the directory where you extracted the zip file:
      1. sudo npm i -g npm@5.2.0
        
      2. sudo npm i
        
  5. At this point in the process, you should have an environment ready to proceed to the installation. If you are getting errors or missing files, you need to stop and fix that first or else this won’t work.
  6. Create an .env file in the path to which you extracted the files. Next, add the following lines from the readme file, replace “abc” with the ESP key and the ESP secret. Then, save and delete the rest of the lines in the file, they are not needed and may cause hiccups:
    exports espAPIKey=abc
    exports espAPISecret=abc
    
  7. Next, you are ready to start. Run node espAzureCli.js (you will need to use ‘sudo node espAzureCli.js’ on Linux)
    node espAzureCli.js
    Starting CLI...
    .env loaded...
    .session.json loaded...
    espAzure~$ login
    Checking cached session...
    Please login, credentials invalid.
    To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code B3H8KEGVX to authenticate.
                      
    1. Enter the command:
      login
      
    2. The login should prompt you to enter an application code in an Azure login window. This is how the CLI gets the authority to do what it does. You should be in the CLI environment now.

CLI Onboarding Walkthrough

  1. Set up ESP keys and add to .env file. (See Prerequisite, step 2.C)
  2. espAzure~$ login
    
  3. espAzure~$ createsp -n espazurenewstoragedate
    
  4. espAzure~$ storage-account -n espazurenewstoragedate -g espazuredemotestdate create
    
  5. espAzure~$ export-log -s espazuredemotestdate -a espazurenewstoragedate
    
  6. espAzure~$ esp-account -e 1234 -n 'Azure Resources' -d https://esp.evident.io add
    
  7. espAzure~$ storage-account -n espazurenewstoragedate -g espazuredemotestdate showkey
    
  8. espAzure~$ function -n espazuredemotestdifdate deploy-storage
    
  9. Serverless: Successfully created Function App
    

Tips and Tricks for the CLI Walkthrough Guide

The following are troubleshooting tips and tricks if you have problems:

Azure Group Manager

Azure Channel Groups are designed for enterprise relationships with bulk subscriptions/accounts available for processing. They allow you to connect your multiple Azure Accounts/Subscriptions together in one channels to enhance events processing. App functions of selected Accounts/Subscriptions will use channel URL to send all data to ESP for processing.

Azure Subscriptions can be independent or they may share resources, depending on your Azure architecture you may want to use one of the following ways to Setup and Connect Azure subscriptions/Accounts in one Channel Group.

Solution One: Connecting Multiple Azure Accounts Through ESP

  1. Add Azure Accounts to ESP as described on Onboarding Your Azure Service to ESP: External Account Setup.
  2. Add your Azure Channel Group:
    1. Go to Control Panel > Azure Channel Group Manager.

      Azure Channel Group Manager

    2. Click New.
    3. Enter the name of the new group in the Choose a Channel Group Name field.

      Azure Channel Group Manager

    4. Click Create New Group.
    5. Click Show Channel Group URL.
      Note: ESP will display the Channel URL only once. You should copy and keep in a safe place Channel URL.
    6. Add members to Azure Channel Group.
      Note: After all members are added, you need to update corresponding App Functions in Azure portal.
    7. Login to your Azure portal.
    8. Select your audited by ESP subscription (Account).
    9. Select App function.
      1. Select Function in the left menu.
      2. On the right in “index.js” code section, replace URL by Channel URL.
      3. Click Save.

        Azure Channel Group Manager

    10. Repeat the above steps for all your ESP Accounts (App Functions) in a Channel.

Solution Two: Connecting Multiple Azure Accounts, which share Storage and Function in Azure.

When Azure Subscriptions share resources in Azure it helps dramatically reduce the complexity for account on-boarding. Also it improves maintainability as only one storage and one function need to be supported for ESP Azure setup with multiple Azure subscriptions/accounts.

All subscriptions sharing the activity log must have pre-established trust relationship. For more information, see Azure: How to add an Azure subscription to Azure Active Directory.

  1. Add First Azure Account to ESP for Subscription 1 as described in Onboarding Your Azure Service to ESP: External Account Setup.
  2. Create a Channel Group as described above.
  3. Add the First Azure Account to the Channel Group, and replace URL in Azure Function to be Channel Group URL provided by Channel Group Manager. ( See “Add your Azure Channel Group” step above.)
  4. When adding more accounts follow the next instructions:
    1. Setup Azure Service Principal as described here: Defining your Azure Service Principle and Setting Up Your Active Directory.
    2. Export logs to Storage Account1 created for Azure Subscription 1. For more information see, Export Activity Logs to a Storage Account via Azure Portal UI. Make certain you select Subscription 1 in subscription dropdown and corresponding Storage Account1 for Subscription 1.  All subscriptions sharing a storage account (or esb namespace) must have pre-established trust relationship
    3. Add new External Account to ESP as described in Onboarding Your Azure Service to ESP: External Account Setup. This time there isn’t a need to copy function code, as you will use shared function from Azure Subscription 1.
    4. Add created External Account to Channel Group created in step 2.

Using Azure Channel Group in ESP

To Add Members to an Azure Channel Group:

  1. Go to Control Panel > Azure Channel Group Manager
  2. Locate the Azure Channel Group you wish to add members to.
  3. Click Edit next to the specific group.
  4. Click Add Members.
  5. Enter the members. -> Select (all Azure accounts are shown, user should click on radio-button).
  6. Click Save.

To delete an Azure Channel Group:

  1. Go to Control Panel > Azure Channel Group Manager
  2. Locate the Azure Channel Group you wish to delete.
  3. Click Delete next to the specific group.

Azure Troubleshooting

Please follow these troubleshooting steps if you suspect that alerts are not properly generated in your Azure external account.

First, let’s make sure your Azure Function works correctly and sends events to the Evident Security Platform.

  1. Generate an event by navigating to an NSG (Network Security Group) rule, toggle Allow/Deny for inbound rule, and click Save.
  2. Navigate to the Azure Function you created and click Monitor.
  3. Wait 5-10 minutes for Azure to log the event and export to the Function App for processing.
  4. Click Refresh.

Log Entry Resolution
No log entries This indicates that the events are not properly forwarded to the Function App.

Review the documentation and make sure all steps were performed.

Make sure Activity log export is setup for correct Storage Account, and Azure Function app uses correct Connection URL to this Storage Account.
Successful log entry like in example below:“EvidentEspTrigger called.Sending to url: https://azure-logs.evident.io/group_messages/123?token=xyz123 for subscription: Successfully posted the messageresponse:,{"statusCode":200,…” This means that events are being sent to ESP. If you do not see them in reports, please contact support@evident.io.
Do the logs indicate a connection error to the Evident with statusCode:422?“EvidentEspTrigger called.Sending to url: https://azure-logs.evident.io/group_messages/123?token=xyz123 for subscription: Successfully posted the messageresponse:,{"statusCode":422,…” Check URL in response and in Function code. Update URL if needed, and restart the Function again, this should fix the problem.
If you see error like: Exception while executing function: Functions.BlobTriggerQA442JS1 ---> System.InvalidOperationException : Exception binding parameter 'myBlob' ---> Microsoft.WindowsAzure.Storage.StorageException : The remote server returned an error: (404) Not Found. ---> System.Net.WebException : The remote server returned an error: (404) Not Found It may happen when restarting Azure Function; this error should be auto-corrected in a few minutes. If it continues to persist please contact support@evident.io.
Are there other errors in the logs? Please report this occurrence to support@evident.io.

Note: when contacting support@evident.io please provide:

ESP Dashboards

ESP - Overview

ESP - Detailed Risks

What is the ESP Dashboard?

The ESP Dashboard is a high level view of your security status across all accounts. The dashboard also acts as portal to the information it is displaying.

ESP Dashboards

When you click on a graph element on the dashboard, you will be taken to the drilled down information described by that graph element.

ESP Dashboards

For example: If you click on a red box with a number 67 next to it, you will be taken to a page with a list containing 67 High Risk Alerts. In this case they are High Risk alerts filtered for a specific Azure Region: West US.

ESP Dashboards

Drilling Down to Your Data

Certain elements on the page act as controls that filters the rest of the dashboard. Hovering over a Team will filter the all other graphs on the page to show security statistics for only that team.

ESP Dashboards

If you click the Team that toggles a lock on the filter, and you can go ahead and hover over more teams to add to the filter.

ESP Dashboards

ESP SSO Integration

Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications.

Evident.io uses PingOne as our Identity Provider (IdP). You can download our PingOne metadata  and will need you to generate a corresponding SAML 2.0 metadata.xml file or provide similar information about your setup.  We use the user's email address as the common authentication component.

You will need the following information to integrate with Evident via PingOne:

Assertion Consumer Service (ACS) URL (The URL used by PingOne to receive the AuthnResponse from the IdP indicating whether a user has been successfully authenticated for single sign-on.)

https://sso.connect.pingidentity.com/sso/sp/ACS.saml2

PingOne Entity ID / Audience URI (A globally unique name identifying PingOne as a SAML entity. If we are going to set up more than one SSO/SAML, please contact us as we will need to configure unique URIs for you.)

PingConnect

TargetResource / Default Relay State (To do IdP-initiated SSO, the IdP needs to provide a TargetResource value for the single connection.)

https://pingone.com/1.0/a004e86a-202c-46e7-96e7-39d1ca13f453

Verification Certificate (If your IdP doesn’t support uploading the PingOne metadata, you can use our certificate independently.)

pingone-signing-05-03-2020.crt

Name ID Format

EmailAddress

Application Username

Email

Once you have your side configured, please send us your metadata. It may be contained in a SAML 2.0 metadata.xml similar to ours. We need the following information from you:

Entity ID

Uniquely identifies the your IdP to PingOne. This identifier is used in the SAML assertion sent to PingOne by the IdP.

SSO Endpoint

Your endpoint URL IdP to which PingOne sends SAML AuthnRequests.

Verification Certificate

Your IdP public signing certificate used to sign SAML assertions.

Once we receive this information, we will configure our side and reach out to schedule a time to test and confirm that SSO is working properly for you.

User Attribution

The signal to noise can be overwhelming when scanning through a flood of alert data. User Attribution allows you to correlate ESP security alerts directly to AWS CloudTrail events, helping you find the needle in the haystack of data. User Attribution analyzes your events, reduces datasets to that relevant to the specific ESP alert, and summarizes the relevant CloudTrail event fields in ESP alerts.

User attribution identifies the following information for every alert:

User Attribution Workflow

  1. Click Control Panel and then select External Account.
  2. Click User Attribution.
  3. Once User Attribution has been properly turned on, it can take thirty minutes before you start seeing data from Evident.io. Attribution data allows you to quickly identify bad actors and insider threats quickly.
  4. Simply click on the desired alert to access more information.


  5. Review the attribution data to learn everything you need to know to resolve this alert.


  6. Next, you click View Event to study the Event Details, as shown below.

Setup CloudTrail

The first step is to setup a global trail in CloudTrail. This will record changes made by users that we will use to attribute alerts. Follow the steps on the right to setup a new trail.

To setup a new CloudTrail:

  1. Log into your Amazon Management Console (https://console.aws.amazon.com/).

    Instructions for ESP GOV Users

    AWS GovCloud's URL is https://console.amazonaws-us-gov.com

  2. On the AWS Services page, select the Cloudtrail service.
  3. Select Trails on the left menu.
  4. Select Add new trail.
  5. Use the following options below to setup the trail. The names are suggested values.
    • Trail name: Evident-User-Attribution
    • Apply trail to all regions: Yes
    • Create a new S3 bucket: Yes
    • S3 bucket: <AWS Account ID>.-evident-user-attribution
  6. Select Advanced to expand the advanced options. Use the following settings.
    • Leave Log file prefix blank.
    • Encrypt log files: Yes
    • Create a new KMS key: Yes
    • KMS key: Evident-User-Attribution-KMS
    • Enable log file validation: Yes
    • Send SNS notification for every log file delivery: Yes
    • Create a new SNS topic: Yes
    • SNS topic: Evident-User-Attribution
  7. Click Create.
  8. Select the newly created trail from the trail list.
  9. Make a note of the S3 bucket name.
  10. Find the Management events section and click edit.
  11. Find Read/Write events and ensure it is set to Write-only. Then click Save.

Add Policy to External Account

Next we need to update this external account with the appropriate permissions. This will allow us to verify the cloudtrail is setup properly, as well as read the log files from the S3 bucket.

  1. On the AWS Services page, select the IAM service.
  2. Select Policies on the left menu.
  3. Click Create Policy.
  4. Select Create Your Own Policy.
  5. Name the policy EvidentUserAttribution.
  6. Copy the S3 bucket and SNS Topic ARN from the previous section into the forms below.

  7. image

  8. Next, copy the policy below into the Policy Document field.
  9. {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:Get*",
                    "s3:List*"
                ],
                "Resource": [
                    "arn:aws:s3:::<S3 BUCKET NAME>",
                    "arn:aws:s3:::<S3 BUCKET NAME>/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "cloudtrail:GetEventSelectors"
                ],
                "Resource": [
                     "*"
                ]
             }
        ]
    }
    

    Instructions for ESP GOV Users

    We recommend altering Step 7 in the following way: change arn:aws:s3::: to arn:aws-us-gov:s3:::

  10. When you are finished click Create Policy.
  11. Select Roles on the left menu.
  12. Filter for the ESP service role and select it.
  13. On the Permissions tab, select Attach Policy.
  14. Select the policy you created in Steps 5 to 8. Click Attach Policy.
  15. Click Submit.

Create SNS Subscription

Then we need to create a subscription from your SNS topic to our service.

  1. On the AWS Services page, select the SNS service.
  2. Select Topics on the left menu.
  3. Select the checkbox next to the Evident-User-Attribution topic.
  4. Select the Actions menu near the top of the screen.
  5. Click Subscribe to topic.
  6. Set Protocol to HTTPS.
  7. Click Get URL in ESP to generate a HTTPS endpoint.
  8. Add the generated URL in the Endpoint box.
  9. Click Create Subscription.
  10. Click Submit. (If you have previously created a subscription, you will need to click Submit again.)

Instructions for ESP GOV Users

AWS GovCloud has a different SNS console, so the instructions for creating SNS is slightly different.
  1. On the AWS Services page, select SNS service.
  2. Expand Topics on the left menu.
  3. Click the Evident-User-Attribution topic.
  4. Click Create Subscription.
  5. Set Protocol to HTTPS.
  6. Copy the URL found below in the Issue 3 section.
  7. Paste the URL into the Endpoint box.
  8. Click Subscribe.

On the SNS page:
  1. Select Create and Add dropdown menu.
  2. Select Create New Topic.
  3. When the new-topic model shows, enter a topic name and click Create Topic. The newly created topic will be opened.
  4. Select the text for Topic ARN and copy it. Paste that ARN into the box to the left of this page.

Add CloudTrail Name

At this point everything should be set up properly for you to turn on User Attribution. Enter the cloudtrail name on the right and click Submit. We will finish setting up user attribution by subscribing the SNS topic to our Lambda function.

  1. Enter the CloudTrail Name into the field below.
  2. Click Submit.


    image

Optional: Add Optional Lifecycle Bucket Policy

To prevent logs from filling up in your S3 bucket and incurring a charge from AWS, you may wish to add this optional lifecycle bucket policy.  ESP only searches for the logs from an hour before and an hour after an alert is generated to populate the User Attribution details.

  1. Select the S3 bucket: demolicious accountageous-evident-user-attribution (or whatever you named the bucket previously).
  2. In the right-window, select Lifecycle.
  3. Click Add Rule and then apply to the whole bucket.
  4. Click Configure Rule.
  5. Click Permanently Delete.
  6. Enter 1 in the Days field.
  7. Click Review.
  8. Change the policy name. (We recommend ESP CloudTrail Bucket Policy).
  9. Click Create and Activate.

Compliance

The dynamic nature of the cloud creates challenges for risk and compliance professionals tasked with measuring and demonstrating adherence to security and privacy controls. The tools they used for traditional systems don’t work. Even though manual interrogation of the cloud is slow and arduous, many organizations want to increase the frequency of their audits to ensure and demonstrate they are doing their best to remain secure.

ESP Compliance ensures that all your company’s cloud computing meets all applicable regulations.

Using the continuous security monitoring data collected in the Evident Security Platform and the compliance report views, you eliminate the manual drudgery of compliance assessment. With one button simplicity, you can access the needed compliance report and then spend more time mitigating risks and addressing the gaps that were found.

The following features are included in Compliance Views:

Compliance View

The Compliance View dashboard shows all the current compliance rules, divided by the standards you are working within, that ESP is currently monitoring across all your AWS resources.

Note: For the moment, ESP automatically enrolls all assets for the CIS AWS Foundations Benchmark. In the future, customers will be able to purchase additional standards.

Note for ESP GOV Users

Regular ESP currently provides CIS AWS Foundations Benchmark standard, but in GovCloud, NIST 800-53r4 is also available for free.

ESP Compliance View

To review all the alerts generated by a specific set of standards, click on the desired standards. In the example above, click the CIS AWS Foundations Benchmark standard.

ESP Compliance View

ESP reveals a complete list of all the rules under the selected standard. The example above is the CIS AWS Foundations Benchmark standard.

To drill-down into the AWS resources monitored under these rules, simply select one of the rules, as shown below, to reveal all the monitored assets.

ESP Compliance View

To look at all alerts, generated because of one of these rules, click on the resource.

ESP Compliance View

Click on the Expand accounts button to expand all the resources.

To examine the details for the alerts for your AWS asset generated by one of these rules, click on Details to the right of it.

ESP Compliance View

Generate Compliance Reports

  1. Click Control Panel.


  2. Click Reports.


  3. Select Run Reports and then your specific team. In this example, Contract AWS Billing.


  4. A report will be queued for the external account selected: Contract AWS Billing.


  5. You will get a "report has been queued" message like the one below. It can take a few minutes to generate the report.


  6. Once the report has been generated, click View Report.


  7. Select the Compliance tab.


  8. This report will allow you to drill down to look at individual rules and alerts generated just like any other report (see Reports).

Compliance View — Enabling Compliance

This document details step-by-step instructions on how to set up the compliance reports for Evident Security Platform and review the reports.

To Enable Compliance Reports on Evident Security Platform:

  1. Click Control Panel.


  2. Click External Accounts.
  3. Compliance standards must be applied to each External Account separately. In this example, we will select the Compliance button from Contract AWS Billing.


  4. All the Compliance Standards available for this External Account will be listed on the screen. For this demo, NIST 800-53r4 - Moderate and PCI DSS 3.2 are available.


    Click Enable to the right of the desired compliance (PCI DSS 3.2) to activate it for your account.


  5. Once a standard has been activated, ESP will populate your reports with compliance data at the next scheduled report interval.
  6. The Disable button will appear to the right of the standard, allowing you to deactivate it for the future.


Viewing Compliance Reports on Evident Security Platform:

  1. Click Reports.


  2. [Optional] If you have not run a report since enabling compliance, then select Run Reports > Contract AWS Billing.


  3. [Optional] A report will be queued for the external account selected: Contract AWS Billing.


  4. Once the report has been generated, click View Report.


  5. Select the Compliance tab.


  6. Scroll down until you locate the PCI DSS 3.2 Compliance information that lists the controls and number of alerts are shown next to a red X if the control inspection fails or a check if the control passes.  The numbers represent the actual alerts.


  7. To drill down further, click on one of the rules. For this example, select Do not allow unauthorized outbound traffic.


  8. You can now review all alerts generated by this rule. If you see a failed alert, you may drill down further by clicking Details.


  9. This page details information about the alert, what resources it effected, and how to address the problem.


  10. To export this report to a PDF, return to the reports page and click Export to File > PDF.

Export Team-Specific Compliance Report

To Export a Compliance Report specific to a team:

  1. Open ESP Dashboard.
  2. On the top-left panel, select the team(s) you want to view.
  3. Select the Compliance Report that you want to view. This will open the Compliance Report for the selected team(s).
  4. To export, click on the Export to File > PDF button on the bottom-right.

Export Compliance Report to PDF

  1. Generate a Compliance Report.
  2. View the Compliance Report.
  3. Select the Compliance tab.
  4. Click Export to File > PDF.

Custom Compliance Editor

ESP now offers a custom compliance editor to allow users to create customized compliance modules based on their internal security controls and cloud compliance frameworks. A compliance framework is a structured set of guidelines that details an organization's business processes for maintaining accordance with established regulations, specifications, or legislation of their own internal cloud security control framework. It starts with a standard that is the overall title of the report in this case. That report is populated by the results of specific controls; each control will map to one or many ESP signatures. The results of the signatures, PASS or FAIL, will determine if the control passes or fails. The controls are grouped logically by domains. For example, you may want all of your identity and access controls grouped in one domain and all of your storage or encryption controls grouped in separate domains. Thus you have a compliance report comprised of:

Standard
        -> Domain1
        --> Control A
                -->which is mapped to a specific ESP Signature #name#
        -> Domain2
        --> Control B
               -->which is mapped to a specific ESP Signature #name#
        --> Control C
                -->which is mapped to a specific ESP Signature #name#
        


The Compliance Editor has a 1 external account per standard limitation. Please contact support@evident.io if this limit needs to be raised.

What is a Compliance Domain?

A compliance domain is a defined group of data-related compliance controls used to automatically check business processes for violations of data-related compliance rules. In practical terms, a domain is a defined bucket that you place controls inside to help manage them. (e.g Access Controls, Network Security, etc.)

What is a Compliance Control?

A compliance control is a defined check that monitors business processes for violations of data-related compliance rules. (e.g AWS Accounts will have a limited number of IAM Admins, etc.)

To create a new custom standard, users must first purchase a license to create a new standard, as the limit is 0 by default. However, each compliance standard is granted 100 domains/controls. Contact your Evident Sales representative for information.

To access the custom compliance editor, go to Control Panel > Custom Compliance Editor.

Custom Compliance

Create a New Compliance Standard

  1. Log into ESP and go to Control Panel > Custom Compliance.
  2. Click New.


    Custom Compliance

  3. Enter the Name and Description of the new standard and then click Done.
  4. Next, you should add a new Compliance Domain and then Controls as needed.

Create a New Compliance Domain

Now that your new compliance standard has been created, it’s time to add compliance domains.

  1. Log into ESP and go to Control Panel > Custom Compliance > Domains.
  2. Click New.


    Custom Compliance

  3. Enter the Name, Identifier, and Standard of your new Compliance Domain and then click Done.


    Custom Compliance

  4. Now that you’ve created a custom domain, it should automatically populate in the assigned Custom Compliance standard.

Create a New Compliance Control

Now that your new compliance standard and new compliance domain has been created, it’s time to add compliance controls.

  1. Log into ESP and go to Control Panel > Custom Compliance > Controls.


    Custom Compliance

  2. Click New.


    Custom Compliance

  3. Enter the Name, Identifier, and Description of your new Compliance Control.
  4. Select your domain from the Domain pulldown menu.
  5. Select Signatures and Custom Signatures from the appropriate pulldown menus.


    Custom Compliance

  6. Now that you’ve created a control, it should automatically populate in the assigned Custom Compliance domain.

How to Enable a Compliance Standard

  1. Click Control Panel.
  2. Click External Accounts.
  3. Click Search.
  4. Enter the search parameters for the account you want the compliance standards attached to then click Search.
  5. Click Compliance.


    Custom Compliance

  6. Click Enable to the right of the Compliance standard you want enabled.
    • Custom Compliance Standards are listed near the bottom.


    Custom Compliance

Alerts

The Evident Security Platform Dashboard is the prism to receive the big picture of all incoming alerts and how to process them.

Alerts are tagged by color according to severity and may be found along the dashboard or within data bubbles.

ESP Alert Severity

Color Tag

Meaning

RED

High Risk

ORANGE

Medium Risk

YELLOW

Low Risk

GREEN

Pass

BLUE

Total number of alerts aggregated together.

Your EC2 instances are categorized according to the data bubbles that represent AWS Availability Regions of EC2 Assets. The size of the bubble reflects the number of alerts generated within that AWS Region These points have the following properties:

Alert Severity
Every alert generated is placed into a severity level category designed to help you prioritize resources to address identified risks. Each alert is tagged with a specific severity status indicating:

Type

Meaning

HIGH

This alert has been judged to be a great potential risk to your business assets and should be examined as soon as possible.

MEDIUM

This alert has been weighed as an issue that should be scheduled and tracked.

LOW

This alert may not be applicable or local business rules have determined that it is not a threat.



Filtering Alerts via the Alert Severity Key

Investigating Alerts via Availability Region Data Bubbles

To investigate all alerts within a specific available region:


Specific ESP Region

  1. Locate the Availability Region you wish to investigate and click on it.

  2. All of the alerts of the selected severity for the last report will be displayed in the security report. Alerts may be filtered via the follow categories:

    1. Severity: The severity of this specific alert.
    2. Status: The status of the alert can be: Pass, Fail, Warn, Error, and Info.
    3. Team: The user can belong to different teams which can belong to a sub organization or organization.
    4. Region: The Amazon AWS Region.
    5. Signature Name: This is the name of the security offense that the alert is for ( e.g. Cloud Trails Bucket IAM Delete).
    6. Signature Identifier: The specific code for the signature. (e.g. AWS:SSS­003)
    7. First Seen: The date/time when the alert was first reported.
    8. Services: The services associated with the alert generated. Resources: The resources associated with the alert generated.
  1. The affected resource report will detail information about the alert including a description, suggested remediation steps, all of the available alert details.

  2. Scroll down to see a code snippet from the signature identifying the exact problem.

  3. Once you have examined the alert and addressed the core issue, you have the option to suppress the alert, the signature causing the alert, or the region that has generated the alert.


    ESP Suppression Options

  1. Triage individual alerts via Alert Severity and Availability Region. You’ll want to examine High Severities in your most valuable regions first.

  2. Drill­down to the Details on the individual reports.

Toggling the Presentation

The Evident Security Platform dashboard is an interactive application that aggregates statistics across all of your accounts, giving you one-click access to a complicated set of filters that will shape your data to best serve your needs.

ESP Dashboard

Our goal is to optimize your experience so that critical details about your alerts are one click away.

Multiple Team Lock

The previous version of the ESP dashboard could only filter by one team at a time. The latest dashboard allows the selection of multiple teams, which brings you much more flexibility when drilling down.

24hr Only Toggle

If you want to only see alerts from the previous 24 hours on the dashboard, select this option to see every element in the dashboard can be replaced by the stats for only the new alerts. This is great for spotting changes at a glance. Would you notice the total alerts in us_east_1 went from 111 to 114 overnight? If you had "24hr only" active you would more likely notice the change in the count growing from 0 yesterday to 3 today.

Graph Pass Toggle

Not all reports are bad news. Every passing alert is an indication that your organization doing a great job at implementing best practices. However, this can drown out problems. By toggling the Graph Pass status, you can now view your alerts via the context of their status.

Additional Status Types

Your security landscape is more than just pass and fail. Our signatures create alerts that are just warnings, purely informational, or ones that exist in an error state because of an AWS outage or other undefined behavior. Toggle the different statuses to see the counts reflected. When you click on an element with that status active, the alerts with that status will be in the report, not just the failing alerts.

Set Custom Risk Levels

Customers may now create custom risk levels for signatures to match their best security practices.

To set a custom risk level for a signature:

  1. Click Control Panel > External Accounts.


    Set Custom Risk Levels

  2. Click Custom Risk Levels.


    Set Custom Risk Levels

  3. Locate the signature you wish to modify and then click the Set button under the Set Risk Level column.


    Set Custom Risk Levels

  4. Select the new risk level for the Signature from the pull-down menu.
  5. Click Submit.

Alert Suppression

  1. Click on the Risk Category for the alert to be suppressed.


    Alert Suppression

  2. Click on the Details link on the right side of the alert you wish to suppress.


    Alert Suppression

  3. Click Suppression Options at the bottom of the EBS Snapshot alert details.


    Alert Suppression

  4. There are three different options you might take:
    1. If you want to suppress this alert for a few, specific volumes, then select Suppress this Alert. This alert will be suppressed for this individual volume. This signature will generate alerts for all other volumes, in all other regions.
    2. If you might want to suppress all this type of alerts for this account, then select Suppress this Signature. Evident will suppress this alert across all volumes, in all regions, by default. (This may be customized as needed.)
    3. You might take snapshots at a different frequency and therefore you will want to customize the signature to match your business rules. This requires you to modify an existing signature.
    4. We recommend avoiding suppressing entire regions because you become blind to any alerts that might be generated from this region. This is important because an alert might hint to unauthorized usage in that region, if for example, someone begins to run new services in that region. If a region isn’t being used, we recommend that instead of suppressing alerts, you simply eliminate the VPCs in that region.
  5. For this example, we’re going to suppress this alert to meet your business needs. Select Suppress Alert.
  6. Enter the business reason for this alert suppression.


    Alert Suppression

  7. Click Customize Configuration.


    Alert Suppression

  8. The Suppression Configuration wizard allows you to select the accounts and regions from which you wish to suppress these alerts. If you wanted to ensure that development accounts did not receive this alert, you could suppress this alerts only for those accounts. You will need to create a suppression for each volume you do not want Evident to generate an alert for.

Reports

A report is a record of all of the alerts generated for a specific organization, sub-organization, or team. Click on Reports on the ESP dashboard to locate the Reports page.

ESP Reports

The ESP Reports page has three different filters to help you find the exact data you need:

ESP Reports

Generating and Viewing Reports

Evident Security Platform runs a scan every hour and compiles alert data into reports. If you need more recent data, you can trigger an immediate scan and report generation.

To generate and view a report:

  1. Click Reports on the dashboard.

    ESP Reports

  2. Select the Run Report pull-down menu and select the specific organization, sub-organization, or team you wish to review. Or alternatively, you could select All Teams.

    ESP Reports

    ESP will run the scans through the selected team assets to build new reports. It will also list the external accounts it was unable to scan.

  3. Click History next to the report you wish view to see a visual snaphot of the generated security report.

    ESP Reports

  4. Click View Report next to the security report you wish to view. This will take you to a detailed page that is divided by Alerts, Signatures, Custom Signatures, and Compliance.

    ESP Reports

  5. Click View Affected Resources next to the item you wish to view further.

    ESP Reports

Hovering Over Reports

By moving the mouse over a specific report, it will reveal all of the new alerts generated within the last hour.


ESP Reports

Searching Reports


ESP Reports

To search for a specific report:

  1. Click Search (Open).

  2. Enter the appropriate search parameters into the fields. Parameters include:

    1. Organization Name
    2. Sub Organization Name
    3. Team Name
    4. Created after
    5. Created before

  3. Click Search.

  4. Select the report you wish to examine.

The Affected Resource page related to the specific alert opens. You may press further into this information or turn your attention to other alerts in the report.

Exporting Reports to File

To export a report to file:

  1. You must first generate a report.
  2. Select the specific organization, sub-organization, or team you wish to examine.

  3. ESP Reports

  4. Select the Alerts tab.

  5. ESP Reports

  6. Click the Export to File pull-down menu and select the file type for the report. You may choose between CSV, JSON, and PDF.
  7. Evident.io will then email you the exported file.

Exporting Reports to an Integration

To export a report to an Integration:

  1. You must first generate a report.

  2. Select the Alerts tab.

    ESP Reports

  3. If you have an available Integration, then you will see the Export to Integrations pull-down menu. If this option isn’t available, you need to add an Integration. Select the Integration you desire to send the report to. ESP will then begin exporting all of the alerts to the selected to integration, not just the alerts from filtered results.

Scheduled Exports

  1. Click Control Panel.
  2. Click Scheduled Exports.
  3. Click New.
  4. Enter the name of the new Schedule.
  5. Enter the emails of the recipients into the appropriate field.
  6. Select the External account from the dropdown menu.
  7. Select the Frequency (Daily, Weekly, or Monthly) of the Export.
  8. Select the Timezone of when the report is sent.
  9. Create a filter to get the exact alerts you want to see.
  10. Click Done.

Disable Signatures

To disable a Signature, your user account must be assigned the Manager role.

  1. Go to Control Panel > Disabled Signatures.


    Disable Signature

  2. You have the option to view all available Signatures via alphabetical order or via accounts.
  3. Select the Signature you want to disable and click Show Accounts.


    Disable Signature

  4. All associated accounts are displayed under the Signature outlined in a field of green. To toggle a Signature off for a select account, simply click on the field.


    Disable Signature

  5. Disabled Signatures are outlined in pink. You may click Disable All to disable all Signatures for every account. Or you may click Enable All to enable a Signature for all accounts.

Custom Signatures

A custom signature is an automated validation against a defined non-standard best practice. An alert is generated when this validation fails or the signature judges that there is a potential security risk. A custom signature is used when the default best practice protocols are insufficient for a specific need. For example, if you wanted to ensure that each of your EC2 instances was tagged with information for your accounting department, you could write a custom signature to do this.

For reference and sample code, please visit our public Github page (https://github.com/EvidentSecurity/custom_signatures).

Definitions

A definition is the archival system that keeps a snapshot of the code for the custom signature. There may be multiple definitions for a single custom signature, each with a unique version number, language, and code.

All definitions possess a status designed to quickly convey information about it:

Lifecycle of a Definition

A definition is created when a user creates a custom signature in the Evident Security Platform. Once the user has inserted the code of the signature into the definition, it is validated by the custom signatures engine. Evident will vet the new code of the custom signature to ensure that everything is working as intended and once validated, the status of this definition will be set to active. The new custom signature will then be included in future report intervals.

If a definition fails validation, Evident.io pushes it back into the editable status. Once a new definition is activated, the previous definition will be archived (only one active at a time). Once archived, a definition cannot be changed and is just there for visibility.

Results

Results are a record used for the tracking of tracking the manual runs of a definition. Whenever a definition is tested, a result is created. A definition may have multiple results.

All results possess a status designed to quickly convey information about it:

When a result is generated, ESP runs a test of the definition and saves all alerts generated. If the result generates errors, then ESP sets it to the failed state. Evident.io saves the first 100 alerts generated per resul using the same checks that’s performed in the validating phase of definitions. A failed result may or may not have alerts, but there will be some kind of error along with them.

Creating a Custom Signature

To create a custom signature within ESP:

  1. Click Control Panel.

  2. Click Custom Signatures.

    Custom Signatures

  3. Click New.

    Create a Custom Signature

  4. Enter the information for the custom signature.

  5. Click Submit.

  6. Insert the code for custom signature.

    Custom Signature Options

  7. Select the Region and External Account you wish to validate this custom signature.

  8. Click Run to validate this custom signature.

    Run Custom Signature

  9. Once you have inserted the code for custom signature, click Save.
    In this example, the code is saved as Definition Version 1.

Definition Version 1

The maximum run time for a definition is five minutes. If you later create a new version of the code after this definition has been activated, it will archive the old definition.

Viewing a Custom Signature

To view the custom signatures:

  1. Click Control Panel.

  2. Click Custom Signatures.

This page displays all of the relevant information about the custom signature and the status of the definition.

ESP Custom Signature View

Copy a Built-in Signature

  1. Click Control Panel.
  2. Click Signatures.
  3. Find the signature you want to copy.
  4. Click on Copy & Customize.
  5. Enter the information for the custom signature.
  6. Click Submit.
  7. Click Save.

The maximum run time for a definition is five minutes. If you later create a new version of the code after this definition has been activated, it will archive the old definition.

Integrations

An integration is a notification service that tells Evident.io to send your alerts for desired signatures to the teams that need them.

To Add an Integration:

  1. Under Control Panel, click Integrations.

  2. Add Integration
  3. Select the service you wish to engage as an Integration.
  4. Follow the instructions for the individual service.

Amazon SNS

Amazon Simple Notification Service (Amazon SNS) is a fast, flexible, fully managed push notification service that lets you send individual messages or to fan-out messages to large numbers of recipients. Amazon SNS makes it simple and cost effective to send push notifications to mobile device users, email recipients or even send messages to other distributed services.

For more information, see https://aws.amazon.com/sns/

SNS Topic

Create a topic in the AWS Management Console

  1. On the SNS page, select Create Topic.
  2. When the new-topic modal shows, enter a topic name and click Create Topic.
  3. You will be redirected to the topic page.
  4. Select the text for Topic ARN and copy it. Paste that ARN into the box to the right of this page.
  5. Select the appropriate region from the Region dropdown list.

Credentials

The following steps will give us the ability to publish messages about alerts to a SNS topic by creating a role in IAM.

  1. On the AWS Services page, select the IAM service.
  2. Select Policies on the left menu.
  3. Click Create Policy.
  4. Select Create Your Own Policy.
  5. Name the policy EvidentSNSIntegrationPublish
  6. Next, copy the policy below into the Policy Document field.
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "sns:Publish"
                ],
                "Effect": "Allow",
                "Resource": "<SNS TOPIC ARN>"
            }
        ]
    }
    
  7. When you are finished click Create Policy.
  8. Select Roles on the left menu.
  9. Select Create New Role.
  10. Select the radio button Role for Cross-Account Access.
  11. Select Provide access between your AWS account and a 3rd party AWS account.
  12. Enter the Account ID of our service.
    Account ID: 762160981991
  13. Enter the External ID field of the AWS dialog box. The External ID is dynamically generated just for you. Refreshing this page will generate a new External ID.
    External ID: 913b2dc0-9bfd-45e0-b148-6d0f6bd6d6ce
  14. Verify that Require MFA is not enabled. Click Next Step.
  15. AWS will open a window with a list of policies. Select the policy you created above. Click Next Step.
  16. Set Role Name.
    ESP recommends that you name the role Evident-Service-Role-SNS-Integration
    Click Create Role.
  17. Click the Role. Copy the Role ARN string.
  18. Return to ESP and paste the Role ARN into the ARN field.
  19. Enter the appropriate information into the remaining fields.
  20. Click Save.

HipChat

HipChat is hosted group chat and video chat built for teams. Supercharge real-time collaboration with persistent chat rooms, file sharing, and screen sharing. This integration will send new alerts to a HipChat room. We only support API v2. For more information, see the HipChat integration documentation.

  1. From the admin panel, go to the Rooms tab.
  2. Pick the room you would like alerts to be sent to and then choose Tokens from the left hand menu.
  3. Enter Evident in the label and create the token.
  4. Paste the token that is provided by HipChat on the left and also enter the room name or room id in the room field.

JIRA

JIRA is a workflow management system that lets you track your work in any scenario.

Integrating JIRA with ESP will automatically create new issues for new alerts that you subscribe to. For example, if you subscribe to failing status and the alert starts as fail, changes to pass on a later run, and then fails again, two issues will be created for each fail status.

The Evident to JIRA integration requires 5 pieces of JIRA specific information:

URL

The JIRA REST API is enabled by default and has the following format:

For the ESP integration, you only need the host and port portion of the URL. If you are using a standard port (80|443), you do not need to include the port number.

For more information about the JIRA REST API, please follow this link.

Project Key

The JIRA integration needs to be associated with a specific JIRA Project. When you create a JIRA Project, you are required to designate Key. Include this Key when you configure the JIRA integration.

For detailed information on how to manage a JIRA Project, please refer to the JIRA documentation.

Issue Type

The JIRA integration needs to be associated with a specific JIRA Issue Type. Examples of the default Issue Types are Task, Bug, Improvement. You will need to decide which Issue Type to include when configuring the JIRA integration.

Given ESP’s Compliance and Security use case, consider creating a unique Issue Type for the ESP alerts such as “SecurityFinding”. For information on how to add an issue, please refer to the JIRA documentation on creating a new Issue Type.

For more detailed information on Issue Types, please refer to the JIRA documentation.

Username/Password

The ESP to JIRA integration uses Basic Auth so you will need to create a user with access to the Project designated in the previous step. For specifics on how to create a JIRA user and assign access, please refer to the JIRA documentation.

Test JIRA Configuration

Before configuring the ESP integration you may want to test your JIRA configuration by following these instructions. This particular example uses curl so you will need access to bash shell.

  1. Create a text file (example test.txt) with the following:
    {
            	    "fields": {
            	        "project":
                        	{
                         	"key": "Your_Project_Key"
        	              },
                   	"summary": "JIRA configuration test",
                   	"description": "Creating an issue via REST API",
                   	"issuetype": {
                      	"name": "SecurityFinding"
                    	}
            	    }
    }
    

  2. Use curl to create an issue:
    curl -D- -u USERNAME:PASSWORD -X POST --data-binary "@FILENAME" -H "Content-Type: application/json" https://jirahost.example.com/rest/api/latest/issue/
    

  3. If the command was successful it will return similar output to the following:
    HTTP/1.1 201 Created
    Server: nginx
    Date: Wed, 22 Feb 2017 15:22:14 GMT
    Content-Type: application/json;charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-AREQUESTID: 622x1128x1
    X-AUSERNAME: USERNAME
    X-ATENANT-ID: jirahost.example.com
    Cache-Control: no-cache, no-store, no-transform
    X-Content-Type-Options: nosniff
    Set-Cookie: JSESSIONID=974A7D7832157FEB89DF7EFA90EA8691; Path=/; Secure; HttpOnly
    Set-Cookie: atlassian.xsrf.token=BE2J-9QGD-DHYI-2L1Q|95d23adf9a7127427b08570d0955caf2b408daca|lin; Path=/; Secure
    Strict-Transport-Security: max-age=315360000;includeSubDomains
    

Create JIRA Integration in ESP

  1. Log into ESP.
  2. Navigate to Control Panel > Integrations.
  3. Click the JIRA icon.

    JIRA Icon

  4. Enter the information in the following fields, based on the information from the previous sections:
    1. URL
    2. Project Key
    3. Issue Type
    4. Username
    5. Password

    6. JIRA Integration
  5. Click Save.

PagerDuty

PagerDuty provides alerting, on-call scheduling, escalation policies and incident tracking to increase uptime of your apps, servers, websites and databases. Check the PagerDuty guide for help.

Provide a PagerDuty API Key below and we will create incidents for the signatures you choose. If you subscribe to Fail/Warn/Error alert statuses then we will create incidents for those alerts. We will resolve those incidents if the alerts later pass and you subscribed to pass.

Note: We only create incidents for new alerts. If you set your incidents to autoresolve after a certain amount time, a new incident will not be created.

  1. From your PagerDuty dashboard, click Services at the top.
  2. Click the Add New Service button on the services page.
  3. Name the service and set the escalation policy to your preferences.
  4. Under Integration Type, choose Select a Tool then select Evident.io from the list.
  5. Enter the Service API Key that is listed on the left.

ServiceNow

ServiceNow is a software platform that supports IT service management and automates common business processes.

This integration will use the ServiceNow API to create new incidents for alerts. For more information, see the Service Now integration documentation.

From your instance Home page, click User Administration.

  1. Click Users and select the user you want to make API calls with.
  2. Scroll down to the Roles section and click Edit.
  3. From the Collection box, find rest_service and move it to Roles List and Save.
  4. Enter your ServiceNow Instance URL, which should be in the format https://<instance name>.service-now.com
  5. Authentication is handled with BasicAuth, so your username and password is required to access the ServiceNow API. We encrypt this information.

Slack

Slack brings all your communication together in one place. It’s real-time messaging, archiving and search for modern teams. For more information, see the Slack integration documentation.

This integration will send new alerts to a Slack channel.

  1. From the Integration page on Slack, choose Incoming Webhooks.
  2. Pick the channel you would like messages to be posted to and choose Add Incoming Webhooks Integration.
  3. Enter the Webhook URL that is provided by Slack on the left.

Webhook

Webhooks are user-assigned URLs to which Evident.io will POST alerts. This integration will send new alerts to a user-assigned URL. For more information, see the Webhook integration documentation.

  1. In the field to the left, enter the URL you would like to designate to receive alerts POSTed from Evident.io.
  2. NOTE: Only HTTPS URLs are allowed. This endpoint must return a 200 status code or delivery is considered a failure. In the event of a failure, the message will be retried.

Splunk

Splunk Enterprise is the leading platform for real-time operational intelligence. It's the easy, fast and secure way to search, analyze and visualize the massive streams of machine data generated by your IT systems and technology infrastructure—physical, virtual and in the cloud.

To setup your Splunk Integration:

  1. Install and configure the Splunk App for Evident.io from Splunkbase:
    1. Log into Splunk Web and navigate to Apps > Manage Apps.
    2. Click “Install App from File.”
    3. “Choose file” downloaded and then click Upload.
    4. Restart your Splunk Web, (Settings > Server Controls > Restart Splunk.)
    5. A new Evident.io application will be listed in the Splunk Console.
    6. Add a Field Alias (Settings -> Fields -> Field Aliases) with the following parameters:
      1. Destination app = splunk_app_evidentio
      2. Apply to, sourcetype = aws-evidentio
      3. Field alias, "Records{}.Sns.Message" to "Message"
    7. Update Splunk Evident.io App
      1. Go to Splunk Evident.io App
      2. Click Edit.
      3. Click Source.
      4. Copy and Paste the following into the editor and save:
        <form>
          <label>Evident.io Overview Dashboard</label>
          <fieldset submitButton="true">
            <input type="time" token="time">
              <label>Time</label>
              <default>
                <earliest>-24h@h</earliest>
                <latest>now</latest>
              </default>
            </input>
            <input type="dropdown" token="resource_type" searchWhenChanged="true">
              <label>Resource Type</label>
              <choice value="*">All</choice>
              <choice value="vol*">Volume</choice>
              <choice value="vpc*">VPC</choice>
              <choice value="i*">Instance</choice>
              <choice value="acl*">ACL</choice>
              <choice value="subnet*">Subnet</choice>
              <choice value="sg*">Security Group</choice>
              <default>*</default>
            </input>
          </fieldset>
          <row>
            <panel>
              <title>Severity Breakdown</title>
              <chart>
                <title>By Resource</title>
                <search>
                  <query>index=main sourcetype=aws-evidentio Message &gt; 1  | spath input=Message|  search data.attributes.resource = "$resource_type$*" |  rename "included{}.attributes.risk_level" as "Severity" | stats count by Severity</query>
                  <earliest>$time.earliest$</earliest>
                  <latest>$time.latest$</latest>
                </search>
                <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
                <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
                <option name="charting.axisTitleX.visibility">visible</option>
                <option name="charting.axisTitleY.visibility">visible</option>
                <option name="charting.axisTitleY2.visibility">visible</option>
                <option name="charting.axisX.scale">linear</option>
                <option name="charting.axisY.scale">linear</option>
                <option name="charting.axisY2.enabled">0</option>
                <option name="charting.axisY2.scale">inherit</option>
                <option name="charting.chart">pie</option>
                <option name="charting.chart.bubbleMaximumSize">50</option>
                <option name="charting.chart.bubbleMinimumSize">10</option>
                <option name="charting.chart.bubbleSizeBy">area</option>
                <option name="charting.chart.nullValueMode">gaps</option>
                <option name="charting.chart.showDataLabels">none</option>
                <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
                <option name="charting.chart.stackMode">default</option>
                <option name="charting.chart.style">shiny</option>
                <option name="charting.drilldown">all</option>
                <option name="charting.layout.splitSeries">0</option>
                <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
                <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
                <option name="charting.legend.placement">right</option>
              </chart>
            </panel>
            <panel>
              <title>Resource Breakdown</title>
              <table>
                <search>
                  <query>index=main sourcetype=aws-evidentio Message &gt; 1   | spath input=Message  | rename data.attributes.resource as resource | search resource = "$resource_type$*" | rename included{}.attributes.data.details.attachedEC2Instances{} as Instance | rename included{}.attributes.resolution as Resolution| rename included{}.attributes.data.details.securityGroup.vpcId as VPC | rename included{}.attributes.risk_level as Severity | stats count as "Number of Alerts",values(Instance) as "Associated EC2 Instances" by Severity, resource | sort + Severity</query>
                  <earliest>$time.earliest$</earliest>
                  <latest>$time.latest$</latest>
                </search>
                <option name="charting.chart">bar</option>
                <option name="wrap">true</option>
                <option name="rowNumbers">false</option>
                <option name="dataOverlayMode">none</option>
                <option name="drilldown">cell</option>
                <option name="count">10</option>
              </table>
            </panel>
          </row>
          <row>
            <panel>
              <title>Resolution</title>
              <table>
                <search>
                  <query>index=main sourcetype=aws-evidentio Message &gt; 1    | spath input=Message   | rename data.attributes.resource as resource | search resource = $resource_type$ | rename included{}.attributes.resolution as Resolution | table  Resolution</query>
                  <earliest>$time.earliest$</earliest>
                  <latest>$time.latest$</latest>
                </search>
                <option name="wrap">true</option>
                <option name="rowNumbers">false</option>
                <option name="dataOverlayMode">none</option>
                <option name="drilldown">cell</option>
                <option name="count">10</option>
              </table>
            </panel>
          </row>
        </form>
        
  2. Create HTTP Event Collector (HEC) Token Creation.
    1. From the Settings menu, select Add Data.
    2. Select Monitor, and then in the left pane, select HTTP Event Collector. The right pane populates with fields for HEC end point.
    3. In the Name field, enter a name for the token that describes its purpose and that you will remember.
    4. Click Next. The Input Settings page displays.
    5. For Source Type, choose "Select" and input "aws-evidentio"
    6. For Index, choose "main"
    7. Click Review. Confirm that all settings for the endpoint are what you want. If you need to change settings, click the gray < button at the top of the page.
    8. If all settings are what you want, click Next. The success page loads and displays the token value that Event Collector generated. You can copy this token value from the displayed field and paste it into another document for reference later. See "About Event Collector tokens."
  3. Create the AWS Lambda Function.
    1. Log into your AWS Console and navigate to the Lambda Function service.
    2. Click Create a Lambda Function.
    3. In the Filter box, type in "splunk-logging" Click on the result.
    4. Give your Lambda function a name; suggest using "GetDataFromEvidentio"
    5. Encrypt your Splunk HEC token using the AWS CLI tools and the KMS key generated per the video reference link in #3 (aws kms encrypt.)
    6. By default, the function will generate 5 Splunk events per invocation.  It is recommended to modify the function to fit your needs.
    7. Note: You can use the unencrypted HEC token with the curl command to make sure this works outside of Lambda.  Following that, you can run the test function in Lambda per the video to make sure this works before populating it with the SNS topic. The video link in #3 is a guide to setting this up.
  4. Configure the Evident SNS Integration.
    1. Create a topic in the AWS Management Console per the instructions in the integration reference.
    2. Create a cross-account policy that allows ESP to publish SNS notifications to that topic per reference.
  5. Go to your AWS SNS topics and subscribe your Lambda function to the topic collecting data from Evident.io.
    Note: If this is a new SNS topic, you may wish to subscribe an email address to it first to make sure the path from ESP to the SNS topic is working correctly before adding the Lambda function.

Sumo Logic App for ESP

The Evident.io Evident Security Platform (ESP) streamlines and optimizes vulnerability and risk management. It continuously monitors the AWS cloud, automatically identifies security misconfigurations, enables rapid mitigation of risk through guided remediation and provides visibility to their service through integrations with a central security analytics platform like Sumo Logic.

By combining the vulnerability and identified security misconfigurations from Evident and other data sources, you can reduce your security risk and improve your overall security posture.

Use the preconfigured searches and Dashboards in the Sumo Logic App for Evident.io ESP to investigate Evident-specific events and provide operational visibility to team members without logging into Evident.io.

Log Types

The Sumo Logic App for Evident.io ESP uses monitoring alerts. For details on the log format and definitions, refer to Evident.io documentation at http://docs.evident.io/.

Collect Logs for Evident.io

To collect logs for Evident.io, you will perform the following steps, detailed in the sections below:

  1. Configure an Evident.IO Integration with AWS SNS
  2. Add a Sumo Logic Hosted Collector and HTTP Source.
  3. Subscribe to SNS Notifications.

Configure an Evident.io Integration with AWS SNS

To configure an Evident.io Integration with AWS SNS:

  1. In Evident.io, add an Integration.
  2. Enable an AWS SNS integration.
  3. In the AWS SNS Topic you created, enable Raw Message Delivery:
    1. Select the AWS Topic.
    2. Click Other subscription actions.
    3. Click Edit subscription attributes.
    4. evident_app_edit_subscription.png

  1. Select the Raw message delivery check box.
  2. Click Set subscription attributes.
  3. evident_app_set_subscription.png

Add a Sumo Logic Collector and Source

  1. In Sumo Logic, configure a Hosted Collector.
  2. Configure an HTTP Source.
    1. Name.
      1. Enter Evident.io SNS Integration.
    2. Source Category.
      1. Enter security_evident.
  3. In the Advanced section, configure the following:
    1. Enable Timestamp Parsing.
      1. Activate the check box Extract timestamp information from log files.
    2. Time Zone.
      1. Select Ignore time zone from log file, and select (UTC) Etc/UTC
  4. Processing Rules. Create the following Mask Rule
    1. Name.
      1. Enable proper timestamp parsing
    2. Filter.
      1. \"(?:created_at|updated_at|ended_at)\":\"\d+-\d+-\d+(T)\d+:\d+:\d+.\d+Z\"
    3. Type.
      1. Mask messages that match
    4. Mask String.
      1. t

      2. evident_app_processing_rules.png
  5. Click Apply.
  6. Click Save.
  7. Copy the HTTP Source Address URL and use it in the following section.

Subscribe to SNS Notifications

Once the Hosted Collector and HTTP Source are configured, subscribe to Evident.io SNS Notifications:

  1. In the AWS Management Console, go to SNS > Topics, and find the topic you created in Configure an Evident.IO Integration with AWS SNS.
  2. Select the checkbox for the topic.
  3. Under Amazon SNS, in the Actions menu, select Subscribe to Topic.
  4. Under Protocol, select HTTPS, and paste the Sumo Logic HTTP Source URL into the Endpoint field.
  5. Click Create Subscription.
  6. In a few minutes, a confirmation message is sent to Sumo Logic.
  7. In Sumo Logic, search for the new message from your HTTP Source. For example, use the query _sourceCategory="security_evident".
  8. Then, in the Messages tab, parse the message for the JSON field SubscribeURL, and copy it to your clipboard, as shown.
  9. aws_config_app_example_700x317.png

  10. In the AWS Management Console, select SNS >Topics.
  11. Under Amazon SNS > Actions, select Confirm a subscription.
  12. Paste the SubscribeURL into the field Subscription confirmation URL, and click Confirm subscription.

Install the Evident.io App

To install the App:

  1. In the Library, click the Preview tab.
  2. Select Evident.io.
  3. Click Install.
  4. In the Install Application dialog box, select Select from _sourceCategory values and choose security_evident.
  5. Click Install.
  6. When the Confirm dialog displays, click Go to navigate to the installed app.

Intervals

To avoid rate limits, Evident.io has added two features that help you control how often your External Account sends API calls to Amazon Web Services.

Report Intervals

The report interval is a setting of a number of minutes between report runs.

Report Intervals

  1. Go to Control Panel > Teams
  2. Select the interval period for Evident.io to run reports for this team. You can choose intervals of 1 (default), 3, 6, 12, and 24 hours.

Scan Intervals

The scan interval is the number of minutes between each service scan. Evident.io recommends using this feature only if you have a large AWS account with a large number of resources or you are experiencing rate limiting from AWS. The default time for each service will be 15.

  1. Select Control Panel > External Accounts > Scan Intervals


    Scan Intervals

  2. Click Set or Edit on the Service you wish to modify.
  3. Select the interval period for Evident.io to run reports for this team on the pull-down menu.
    The interval options are 5 minutes, 15 minutes, 30 minutes, 45 minutes, 60 minutes, 120 minutes, 12 hours, and then 24 hours.
  4. Click Submit.

Organization

The Evident Security Platform (ESP) provides visibility into the security state of the shared security responsibilities customers have in AWS.

ESP also has the ability to control access to security reports based on a hierarchical organizational structure. You can design the structure to match your company’s organizational structure, or one that makes sense with your security remediation workflow. This is also an important requirement for Segregation of Duties (SOD) controls in the various compliance frameworks, such as HIPAA, ISO 27001, SOC 2, etc.

The structure in ESP is, in precedence from overall to fine grained visibility:

An ESP Organization has the ability to silo AWS accounts and ESP users within specific Sub-Organizations and Teams.

Consider a ‘Customer’ role user, bob@example.com, that is assigned to Team Red that is under Sub-Organization B in Organization Example. Bob would be able to view reports for AWS accounts that are under Team Red. Sub-Organization B also has a Team Blue, but this would not show up in the dashboard at all for Bob since he is not apart of Team Blue. Bob would not be able to change any configuration settings for accounts he can view.

Consider also a ‘Manager’ role user, jeff@example.com, that is assigned to the same Sub-Organization B that was described in the previous scenario. Jeff is assigned specifically to the Sub-Organization B, so he can view reports for both Team Blue and Team Red. He can also modify integration settings, or scan intervals since he is a ‘Manager’ role user.

Jeff has access to both Team Blue and Team Red since he was assigned to the Sub-Organization and not a specific team. Bob only has access to Team Blue because was assigned specifically to Team Blue, and not Team Red.

You must make the decision where to place the Users and External accounts. Visibility of ESP security reports is completely controlled in the Users window in the ESP Control Panel.

The following is an example of how complex the reporting structure can be:

Organization Configuration Example

As far as security assessments are concerned, someone with broad security responsibilities throughout a company should have visibility for every sub organization and team, while a software developer would only need to view reports for his particular team. Visibility into organizations/sub organizations/teams is explicit. If a user should be seeing a particular team’s report (or all reports), that user must be added every time a new team and external account is created.

In the example below, we take a fictitious user, evidentdemo@xxxxx.com and give him access to all teams:

We can easily remove access by unchecking the sub organization or team in the list and clicking save.

Edit user

This would generate a report (and dashboard) view such as the following:

ESP Dashboard

As you can see, ESP can help you satisfy SOD controls for compliance and your organization, while giving flexibility in the constant changing world of DevOps and AWS account security management.

Create a Sub-Organization

  1. Go to Control Panel > Sub-Organization.


    Sub-Organization

  2. Name the new sub-organization and select the organization it’s under. An example is below.


    Sub-Organization

  3. Select Submit and it will save the new Sub-Organization and take you back to the Sub-Organization page.

Create a Team

  1. Go to Control Panel > Team.
  2. Click the New in the top right of the page under the reports button.


    Create a Team

  3. The New Team page will come up. Fill out this form with the name of the new team, the report interval, and the sub organization. Select Submit and you will be taken back to the Teams page. An example of the new Team form is below.


    Create a Team

Create a User

  1. Go to Control Panel > Users and then click the New button in the top right of the page under the reports button.


    Create a User

  2. The New User page will come up. Fill out this form with the users first and last name, email, phone number, time zone, organization, sub organization, and teams. Selecting the sub organization is what populates the options for the Team's field. An example of the New User form is below.


    Create a User

  3. Click Send Invitation.

Create External Accounts

  1. Go to Control Panel > External Accounts.


    Create a User

  2. Click New.
  3. Create an ARN.
  4. Afterwards, fill in the information for the ARN fields; name of the external account, and what team the external account will be under.
  5. Select Submit and it will save the external account and take you to the external account page.

Delete a User

  1. Go to Control Panel > Users.
  2. Select Search(open).


    Delete a User

  3. Fill in the user’s Email Address and press Search.


    Delete a User

  4. The user will be displayed below the query.
  5. Select the red Delete button to the right of the user’s email address.


    Delete a User

  6. A verification page will come up.
  7. Select the box in front of “I understand, please delete this user”.
  8. Select the red Delete User button.


    Delete a User

  9. The user will be deleted and you will be taken back to the Users page.

Add a User to a Sub-Organization

  1. Go to Control Panel > Users.
  2. Select Search(Open).


    Add a User to a Sub-Organization

  3. Fill in the user’s Email.
  4. Select Search.


    Add a User to a Sub-Organization

  5. The user will be displayed below the query.
  6. Select Edit to the right of the user’s email address.


    Add a User to a Sub-Organization

  7. The Edit Users page comes up.
  8. Click into the Sub-Organization.
  9. Select a Sub-Organization from the drop down list.
  10. Select Save.


    Add a User to a Sub-Organization

  11. The changes will save and take you back to the Users page.

Add a User to a Team

  1. In the Edit User page, click into the Teams field.
  2. Select the Team from the dropdown menu.


    Add a User to a Team

  3. Select Save.
  4. The changes will be saved and you will be taken back to the Users page.

Edit an Organization

  1. Go to Control Panel > Organizations.
  2. Select the Search(Close) button.


    Edit an Organization

  3. Enter the Organization’s name in the name field.
  4. Press Search.
  5. The Organization will show below the query.


    Edit an Organization

  6. Select Edit to the right of the organization’s name.


    Edit an Organization

  7. The Edit Organization's page come up.
  8. Edit any field that needs changed.


    Edit an Organization

  9. Select Save.
  10. The changes will be saved and you will be taken back to the Organization’s page.

Edit a Sub-Organization

  1. Go to Control Panel > Sub-Organizations.


    Edit a Sub-Organization

  2. Select Search(Open).


    Edit a Sub-Organization

  3. Fill in the Organization and Sub-Organization Fields.
  4. Select Search.
  5. The Sub-Organization is displayed under the query.


    Edit a Sub-Organization

  6. Select Edit.


    Edit a Sub-Organization

  7. Change the Sub-Organization’s name.
  8. Press Submit.


    Edit a Sub-Organization

  9. The change will be saved and you will be taken back to the Sub-Organizations page.

Edit a Team

  1. Go to Control Panel > Teams.


    Edit a Team

  2. Select Search(Open).


    Edit a Team

  3. Fill in the Team Name.
  4. Select Search.
  5. The team will show up below the query.


    Edit a Team

  6. Select Edit.


    Edit a Team

  7. Edit the Name or the Report Interval.
  8. Select Submit.


    Edit a Team

  9. The changes will be saved and you will be taken back to the Teams page.


New Customer Walkthrough

The Evident Security Platform (ESP) is designed to work in tandem with Amazon Web Services (AWS) to help your business detect and manage security risks for your entire AWS infrastructure. Our application is configurable to allow for automated vulnerability detection, incident response, and compliance through continuous monitoring and analysis of AWS configuration and usage metadata.

This walkthrough is designed to help you maximize the value of your ESP trial membership by helping you focus on the most actionable alerts, to accurately evaluate security risks to the business.

The goal for this walkthrough is to make your security data organized, relevant, and actionable.

Step 1: Segregation of Duties with ESP Organizational Structures

The Evident Security Platform (ESP) has the ability to control access to security reports based on a hierarchical organization structure. You can design the structure to match your company’s organizational structure, or one that makes sense with your security remediation workflow.

Here’s the overall access structure for ESP:

You must make the decision where to place the Users and External accounts. Visibility of ESP security reports is completely controlled in the Users window in the ESP Control Panel. The following is an example of how complex the reporting structure can be:

ESP Organization

As far as security assessments are concerned, someone with broad security responsibilities throughout a company should have visibility into every sub organization and team, while a software developer should only have visibility into reports for his particular team. Visibility into organizations/sub organizations/teams is explicit. If it is required that a user should see a particular team’s report (or all reports), that user must be added every time a new team and external account is created.

In the example below, we take a fictitious user, user@xxxxx.com and give him access to all teams. We can easily remove access by unchecking the sub organization or team in the list and clicking save.

ESP Edit User Example

This would generate a report (and dashboard) view as follows:

ESP Dashboard

Step 2: Adding User Accounts

The next step is to add user accounts to the appropriate sections of your organization.

  1. Click Control Panel.

  2. Click Users.

    ESP Add Users

  3. Click New.

    ESP Add Users

  4. Enter the relevant information about your new user and assign him to the appropriate sub-organizations and teams as you desire.

    ESP Add Users

  5. When finished, click Save.

The new user will be able to examine data only through the lense of the organization's levels you assigned to him (from the options you created in Step 1).

Step 3: Examining the Data

An alert is a potential risk identified by either a signature or a custom signature and collected in a report. ESP continually scans all of your assigned AWS business resources and collects all alerts into an easy-to-read aggregated report. This allows you and your security team to review all available information about your assets and to make an informed decision about the necessary steps to remediate them as needed.

ESP Alert Status

Initially, Evident Security Platform will be set to the Security Best Practices as recommended by Amazon Web Services. The next step will be to ensure that the signatures return alerts that contain actionable intelligence to meet your business needs.

Alert Status

Alerts are generated according to the following classifications:

Alert Severity

Every alert generated is placed into a severity level category designed to help you prioritize resources to address identified risks.

Each alert is tagged with a specific severity status indicating:

Step 4: Relevant Data Configuration

The next step is to examine the alerts from Step 3 and compare the triggered alerts with your specific business rules to determine if there are some signatures that should be configured differently to meet your business needs.

If a signature isn’t configured to exactly your needs, it can be suppressed or in some cases modified. This step will walk you through suppressing alerts.

  1. Take a look at the alerts generated. Click on the low risk category to further drill down into these alerts. This will allow you to review and evaluate the Evident.io defaults and best practices.

    ESP Alerts Generated

  2. The Security Report details all of the Low Risk alerts generated for your account.

    ESP Low Risk Alerts

  3. The EBS Snapshot Alerts are a good example of how your business rules may differ from the best practices recommended by Evident.io. The EBS Snapshot signature generates these alerts if you do not take a snapshot of your volumes every fifteen days.
    There are a number of logical business reasons why your policies might be different.
    1. You might not take snapshots from your development account and in this case, you might want to suppress all of this type of alerts for this account.
    2. Your volume might be part of a RAID array of disks and therefore you will want to suppress this alert for a few, specific volumes
    3. You might take snapshots at a different frequency and therefore you will want to customize the signature to match your business rules.
  4. Click Suppression Options at the bottom of the EBS Snapshot alert details.

    Snapshot Alert

  5. There are three different options you might take:
    1. If you want to suppress this alert for a few, specific volumes, then select Suppress this Alert. This alert will be suppressed for this individual volume. This signature will generate alerts for all other volumes, in all other regions.
    2. If you might want to suppress all of this type of alerts for this account, then select Suppress this Signature. Evident will suppress this alert across all volumes, in all regions, by default. (This may be customized as needed.)
    3. You might take snapshots at a different frequency and therefore you will want to customize the signature to match your business rules. This requires you to modify an existing signature. For more information, see Step 5: Modifying an Existing Signature.
    4. We recommend avoiding suppressing entire regions because you become blind to any alerts that might be generated from this region. This is important because an alert might hint to unauthorized usage in that region, if for example, someone begins to run new services in that region. If a region isn’t being used, we recommend that instead of suppressing alerts, you simply eliminate the VPCs in that region.
  6. For the purpose of this example, we’re going to suppress this alert to meet your business needs. Select Suppress Alert.

  7. Enter the business reason for this alert suppression.

    Suppress Alert

  8. Click Customize Configuration.

    Suppression Configurations

  9. The Suppression Configuration wizard allows you to select the accounts and regions from which you wish to suppress these alerts. If you wanted to ensure that development accounts did not receive this alerts, you could suppress this alerts only for those accounts. You will need to create a suppression for each volume you do not want Evident to generate an alert for.

Step 5: Modifying an Existing Signature

Sometimes you want to modify an existing signature to create a custom signature that meets your business needs. For the purpose of this example, we’re going to presume that you want to customize the signature AWS:EC2-001 to alert you if you haven’t taken a snapshot of your volumes within the last 45 days, rather than 30 days.

  1. Click Control Panel.

  2. Click Signatures.

  3. Click Search.

  4. Enter AWS:EC2-001 in the Identifier field and click Search.

    Signatures Search

  5. Click Copy.

    Signatures Search

  6. Enter the appropriate information in the above fields. This allows you to name your custom signature, alter the risk level, and create your own Identifier. In this case, we changed the Identifier, by adding the letter A at the end.

    Create Custom Signature

  7. Assign the region and External account you want associated with your custom signature.

    Custom Signature Options and Code

  8. The next step is to alter the code so that this signature generates an alert every 45 days instead of the standard 30.

    Custom Signature Code

  9. Change 30.days.ago to 45.days.ago. Review the error messages and modify all references to 30 days old to 45 days old.

    Custom Signature Code

  10. Once you are finished, click Run.

  11. You have now created a new custom signature that will generate an alert for you if your snapshot for your volume is older than 45 days.

Step 6: Cleaning Up Unused Regions

Now that you have configured your alerts to better suit your needs, the next step is to clean up your unused regions for better security.

If you are receiving alerts from a region where you have no resources, then you should remove those VPCs. If needed at a later time, you can always re-add the VPC by calling AWS Support. By removing the VPC, you help prevent unexpected resources from being launched into a region. The alternative is to suppress an entire region, but then you lose visibility into the activity within that region.

ESP Security Report

You can see that there are alerts coming from ap_southeast_2, but for the purpose of this example we know that your company has no resources there.

To Clean Up Unused Regions:

  1. Log into your AWS account and access VPC Dashboard for the region you do not use.

    AWS VPC Dashboard View

  2. Verify that you have no instances in the specified region.

    AWS VPC Dashboard View

  3. Select the VPC you wish to delete.

    AWS VPC Dashboard View

  4. From the Actions pulldown menu, select Delete VPC.

    AWS VPC Dashboard View

  5. Click the appropriate radio buttons and click Yes, Delete.

    AWS VPC Dashboard View

  6. It will take a few moments for AWS to delete the VPC, but once it has, those alerts will no longer be triggered.

Step 7: Setting Your Daily Email Report

Evident.io generates a single email report every twenty-four hours at 9 AM your local time.

To change this default time:

  1. Click Control Panel.
  2. Click Users.

    Setting Your Daily Email Report

  3. Find your account and click Edit.

    Setting Your Daily Email Report

  4. Alter the timezone so that your daily email is sent at 9 AM.
  5. Click Save.

Step 8: Retrieving Your New Data

Now that you have configured the signatures to generate alerts that better meet your needs, you should look at your reports to view your new alerts.

Retrieving Your New Data

  1. Click Reports.
  2. Click Run Reports and select your desired team.

Step 9: Conclusion

Now that you’ve completed this process, your alerts have been customized to give you the best information when you need it. You will receive a daily 24-hour email report that gives a general overview of your alerts. (You may adjust the delivery of this report at any time by repeating Step 7: Setting Your Daily Email Report.)


Auto-Remediation via Lambda Walkthrough

The goal of this walkthrough is to help you setup, create, and then test a Lambda function for your AWS service. For more information, please see AWS Lambda.

A core design goal and philosophy at Evident.io is to provide our customers the most robust configuration security alerting platform on AWS and the remediation guidance to make those alerts actionable. Using our SNS integration, customers can extend that philosophy to make sure alerts are automatically remediated before you, or malicious actors, even know there’s an issue. Imagine revoking an EC2 security group rule that allows ingress traffic from the world minutes after it’s been detected by ESP.

This document will walk you through the steps to configure our SNS integration to send Evident.io alerts as events for Lambda to remediate on your behalf.

We recommend that you select ESP alerts to remediate based one of the following criteria:

Step 1: ESP SNS Integration

  1. Follow the instructions for setting up the ESP SNS Integration. When configuring, make sure you configure for only one Team and one signature. Note: If there is more than one AWS account assigned to a Team, this will not work for more than one account until a future integrations enhancement is released.
  2. In the SNS topic you’ve set up, subscribe your email address, if only on a temporary basis, for troubleshooting purposes.

Step 2: Create IAM Policy and Role

The next step is to create the IAM Policy and Role that will give the Lambda function execution privileges.

  1. In the IAM Console under Policies, click Create Policy.
  2. Select Create Your Own Policy.
  3. Copy and paste the policy from the following link:
    https://github.com/EvidentSecurity/automation/blob/master/autoremediate/aws/policies/AWS_EC2_security_group_global_inbound_policy.json
    Name your policy and select Create Policy.
  4. In the IAM Console under Roles, click Create New Role.
    1. Name your role.
    2. Role type is AWS Lambda.
    3. Attach the policy created above.
    4. Additionally, attach the AWSLambdaBasicExecutionRole policy, to allow the Lambda function to send execution logs to CloudWatch Logs.

Step 3: Create the Lambda function in the AWS Console

The next step is to create the Lambda function in the AWS Console.

  1. Select the sns-message-python blueprint.
  2. Event source type is SNS.
  3. Select the SNS topic you created for the integration.
  4. In the next screen, name your function, give it a description and leave the Python runtime version as is.
  5. Copy and paste the Lambda code from the following link: https://github.com/EvidentSecurity/automation/blob/master/autoremediate/aws/lambda/AWS_EC2_security_group_global_inbound_remediate.py
  6. This sample code works across regions, so you can create the Lambda function in whichever region makes sense for your scenario.
  7. Leave the Lambda function handler as is, but select the IAM Role you created above in the drop-down menu.
  8. Under Advanced Settings, set the timeout value to 1 minute, 30 seconds. This is due to the fact that when multiple ESP alerts are sent to Lambda, it will take Lambda longer than the default 30 seconds to execute each lambda function.
  9. Select No VPC access is required.
  10. In the next screen, you can select the SNS topic above for Event Source, or leave as is and configure later once you are comfortable with the Lambda function code. If you click on Enable event source, the Lambda function will be subscribed to the SNS topic above.

Step 4: Testing and Verifying the Lambda Function

After the Lambda function is created, you will need to configure a test event to test your function.

  1. It is recommended to generate one SNS alert message to your email address per the subscription above, and copy the entire body of the message for your test event.
    1. To generate an alert, create a FAIL condition for the Global SSH signature.
    2. Create an EC2 security group, and add a rule that allows TCP port 22 to the entire internet, or “0.0.0.0/0”.
    3. Make sure no instances are associated with that security group
    4. This will be your test security group.
  2. In the Lambda function console, click on Actions -> Configure test event.
  3. Select the SNS sample test event.
  4. Replace this section "Sns: { ... }" with "Sns: { Message: { <text copied from Step #1> }}"
  5. Execution logs are sent to a CloudWatch Logs log group by the same name as your Lambda function.

PSaaS

Welcome to the PSaaS Documentation Library.

The Evident Security Platform (ESP) Private SaaS 100 enables organizations to continuously monitor both security and compliance across their entire AWS infrastructure (up to 100 accounts) from within their own VPC. ESP combines the detection and analysis of misconfigurations, vulnerabilities, and risk with user attribution, guided remediation, and audit capabilities to meet compliance requirements. The highly customizable solution enables DevOps and SecOps to implement and manage security policies, create custom signatures, and build auto-remediation into their workflows, making response near real-time. The Private SaaS Edition is for organizations that want to guarantee data privacy and sovereignty by running in their own dedicated environment.

PSaaS CFN Template Upload

  1. Upload the template through the CloudFormation console.
  2. Under the Instance Configuration section, select an existing EC2 KeyPair from the dropdown menu and enter a cidr block to SSHLocation with the format x.x.x.x/xx.

  3. Under the Instance Type section, select your prefered instance size for each stack. If you are unsure of your requirements, choose the default options.

  4. Under the ELB Configuration section, enter the arn of an existing ssl certificate and a cird block to the WebLocation with the format x.x.x.x/xx.

  5. Under the Network Configuration section, select two different availability zones from the dropdown menus. The VPC and subnet cidr blocks can be altered if desired or you already have an existing VPC with the same ip range. Ensure subnet cidr blocks are within the range of the VCP cidr block.

  6. Under the Default Database Credentials section, edit the default mysql database name and superuser if you desire and enter a password. Note: The password must be at least 8 characters long as required by RDS.

  7. Click Next.
  8. On the next screen, Options, there is no need to add any tags, permissions, or advanced data. Click Next to progress to the Review screen.
  9. On the Review page, confirm your options are set as intended.
    Before clicking Create, you MUST select the checkbox [ ] I acknowledge that AWS CloudFormation might create IAM resources., under the Capabilities section.

  10. Click Create to launch the stack. Please ensure that your setup is complete before clicking Create. This process may take up to 30 minutes.

Accessing ESP PSaaS Admin

ESP PSaaS Admin

ESP PSaaS Admin is the hub that allows you to edit information about your individual PSaaS services. You may always find this panel by clicking the Overview Tab.

To access the PSaas Admin panel:

  1. Log into the CloudFormation console.
  2. Select the evident-saas template.
  3. Select the Outputs tab and click the link for the AdminAppELBDNSName.

  4. Login into the ESP PSaaS Admin page using the user name admin and then enter the password based on your instance ID as explained below:
    • If your admin app's instance ID is still using the short AWS instance id, append x before and after the instance id. For example: if your instance id is i-abcde123 then your password is xi-abcde123x.
    • If your admin app's instance ID uses the new AWS instance ID (16 digit ID), the initial password is your instance id.


  5. The URL at the bottom noted at the bottom is your personalized ESP Web URL.


To Create a Backup of Your Settings

Click Backup to create a backup all of your settings.

For more information on creating a snapshot of your database, see AWS: Creating a DB Snapshot

Restarting ESP

When settings are changed, they won’t be applied to the ESP Admin until after ESP is restarted. Click Restart ESP to terminate the web and worker instances. Autoscaling will create new instances with the changes applied.
Note: There is no need to restart during the initial setup process.

ESP PSaaS Settings

The available settings for ESP PSaaS are:

The following PSaaS Settings may be edited on the Admin page or via the ESP Setting pulldown menu.


From Email

From Email is the sender's email. It will appear as the from email address sent from the ESP application. These emails include any automated emails like daily alerts just as one example.

The domain portion of From Email should be the same as your SMTP domain or emails will be blocked by certain email services providers like Gmail.

To edit this setting:

  1. Enter your designated email into the From Email field.
  2. Click Save.
  3. You will need to restart your ESP for this change to take effect.


MySQL

This page allows you to edit your SQL settings.

To edit this setting:

  1. Enter the appropriate information into the following fields:
    1. Pool size is the number of immediately available database connections ready for connecting without initial handshake overheard. They include persistent, framework and standalone types. We recommend this value be 15.
    2. Select a new username that will be used for the ESP Web application will use to connect to the DB. his is the password for ESP web username.
    3. Select a new password for the ESP Web app. This will be used to log into the MySQL database. When updating, leaving this field blank will not remove the password, but entering a value will change the password.
    4. Select a new Super User Password for the newly created MySQL super user. This account is used to create the application user and set its privileges. When updating, leaving this field blank will not remove the password, but entering a value will change the password.
  2. Click Save.


SMTP Email Settings

This page allows you to edit your SMTP Email settings.

To edit this setting:

  1. Enter the appropriate information into the following fields:
    1. SMTP address is the hostname of your mail server that sends out emails. It would be localhost if you have a locally running mail server.
    2. SMTP port is the port number that mail clients like Outlook connect to. The default port is 25.
    3. SMTP authentication is the type of authentication for logging into SMTP on the mail server. It can be plain, login or cram_md5.
    4. SMTP domain is the domain name that emails will be sent from.
    5. SMTP user name is the username for logging into the user's mail account.
    6. SMTP password is the user's password for logging into the mail account.
  2. Click Save.


ESP URL Settings

This page allows you to edit your ESP URL settings.

URL is used internally by ESP Web, among other things, to create proper links in emails. If setting up a DNS endpoint, update this to reflect that. It is important that this is a correct URL. If incorrect, some functionality will be lost.

To edit this setting:

  1. Enter the URL into the ESP URL field.
  2. Click Save.


SNS Region Settings

This page allows you to edit your SNS Region settings.

SNS Region is the region where new Amazon SNS Integrations will be created.

To edit this setting:

  1. Enter the appropriate region into the SNS Region.
  2. Click Save.


SSL Cert

This page allows you to upload your SSL Cert files.

To upload your SSL Certs:

  1. SSL Cert is the actual certificate that your SSL provider issues to you after you've gone through the process. Click Choose File and browse to your SSL Cert.
  2. Key should be the public key generated when you generated your key pair for the SSL signing request. Click Choose File and browse to your Key.
  3. Click Import.