Pre-requisites, Permissions, and Credentials for Using Attack Detective with Amazon Athena

Prerequisites

To use SOC Prime's Attack Detective for querying your log data in Amazon Security Lake via Amazon Athena, you need to have in place the following:

Amazon Security Lake set up according to the official User Guide
Amazon Athena with a query result location set up in Amazon S3. If you haven't set up a query result location yet, follow these instructions. Note that the name of the S3 bucket should be descriptive and globally unique.

Attack Detective connects to Amazon Athena via JDBC and only queries the Security Lake data accessible through Amazon Athena.

Set up Permissions for Attack Detective in Amazon IAM

In Amazon IAM, create a user group, then create a policy with permissions required for Attack Detective and attach it to the user group. After that, create a user for Attack Detective, add it to the user group, and generate credentials for the user. Use the credentials to set up integration with your Amazon Athena in SOC Prime's Attack Detective.

Log in to your Security Lake account in the IAM console.
Create a user group.
1. Go to User groups and click Create group.
2. Name your user group.
3. Click the Create group button.
4. If the group has been successfully created, you'll see a confirmation message.

Create a policy.

Go to Policies and click Create policy.

Define the policy in the JSON tab.

Use the following policy as a template. Don't forget to replace the example-attack-detective-athena with the name of your S3 bucket designated as the query result location.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "athena:BatchGetNamedQuery",
                "athena:BatchGetPreparedStatement",
                "athena:BatchGetQueryExecution",
                "athena:GetCalculationExecution",
                "athena:GetCalculationExecutionCode",
                "athena:GetCalculationExecutionStatus",
                "athena:GetDatabase",
                "athena:GetDataCatalog",
                "athena:GetNamedQuery",
                "athena:GetNotebookMetadata",
                "athena:GetPreparedStatement",
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:GetQueryResultsStream",
                "athena:GetQueryRuntimeStatistics",
                "athena:GetSession",
                "athena:GetSessionStatus",
                "athena:GetTableMetadata",
                "athena:GetWorkGroup",
                "athena:ListApplicationDPUSizes",
                "athena:ListCalculationExecutions",
                "athena:ListDatabases",
                "athena:ListDataCatalogs",
                "athena:ListEngineVersions",
                "athena:ListExecutors",
                "athena:ListNamedQueries",
                "athena:ListNotebookMetadata",
                "athena:ListNotebookSessions",
                "athena:ListPreparedStatements",
                "athena:ListQueryExecutions",
                "athena:ListSessions",
                "athena:ListTableMetadata",
                "athena:ListTagsForResource",
                "athena:ListWorkGroups",
                "athena:StartQueryExecution",
                "athena:StopQueryExecution",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetPartition",
                "glue:GetPartitions",
                "glue:GetTable",
                "glue:GetTables",
                "lakeformation:GetDataAccess"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::example-attack-detective-athena/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "arn:aws:s3:::example-attack-detective-athena"
        }
    ]
}

You can skip the second step without adding any tags or add some tags that will help you to identify and organize the resource.
Name your policy, review it, and click the Create policy button.
If the policy has been created successfully, you'll see a confirmation message.

Attach the policy to the user group.
1. Go to User groups.
2. Select the user group created in step 2. Open the Permissions tab and click Add Permissions > Attach policy.
3. Add the policy created in step 3 to the group.
4. If the policy has been attached successfully, you'll see a confirmation message.
Create a user and add it to the user group.
1. Go to Users and click Add users.
2. Give the user a name and click Next.
3. Set the user's permissions by adding it to the user group created in step 2 and click Next.
4. Review the user details and permission summary and click Create user.
5. If the user has been created successfully, you'll see a confirmation message.
Generate security credentials for the user configured in step 5.
1. Open the setting of the user created in step 5.
2. Go to the Security credentials tab.
3. Under Access keys, click Create access key.
4. Under Access key best practices & alternatives, select the Third-party service option, set the acknowledgment checkmark, and click Next.
5. Under Set description tag, set a descriptive name and click Generate access key.
6. If the access key has been successfully generated, you'll see a confirmation message.
7. Save the Access key ID and Secret access key to your secure password vault. Note that you won't be able to get the secret access key after clicking Done on this screen. You'll need the secret access key for integration with SOC Prime's Attack Detective.
8. Once the key is created, it is displayed in the user summary.

Set up Permissions for Attack Detective in AWS Lake Formation

Go to AWS Lake Formation and grant table permissions to the user configured in step 5 following these instructions. Note that you need fewer permissions than are granted in the referenced document. Here are the recommended settings and permissions:

Go to your AWS Lake Formation.
Under the Permissions section, choose Data lake permissions and click Grant
Make sure IAM users and roles is selected.
Select the user created in step 5 of the Set up Permissions for Attack Detective in Amazon IAM procedure.
Under LF-Tags or catalog resources, select Named data catalog resources.
Under Databases, select your Security Lake Database.
Under Tables, we recommend selecting the All tables option. Alternatively, you can select only those tables you want to make accessible to Attack Detective.
Under Table permissions, set checkmarks next to the Select and Describe options.
Under Data permissions, keep the All data access option selected.
Click the Grant button.

Set up Amazon Athena Integration on the SOC Prime Platform

Log in to your account on the SOC Prime Platform.
Go to Account > Platform Settings > Data Planes and click Add Data Plane.
Name your profile, choose if you want to share it with your team, and select Amazon Athena as your platform.
Make sure that Attack Detective is selected as a place to use the Data Plane.
Fill in the required parameters:
- AWS Access Key ID. Paste the Access key ID generated at step 6-g in the Set up Permissions for Attack Detective in Amazon IAM procedure
- Secret Access Key. Paste the Secret access key generated at step 6-g in the Set up Permissions for Attack Detective in Amazon IAM procedure
- Database. Paste the name of your Security Lake Database from Athena. You can find it in Amazon Athena > Query editor > Data section > Database dropdown
- Region. Select the region set in your Amazon Athena
- Query result location. Indicate the S3 bucket designated as the query result location in your Amazon Athena (without the s3:// prefix)
Optionally, select Default Custom Field Mappings. To learn more about mapping, see this guide.
Click Save Changes.
Now, you can use the configured Amazon Athena Data Plane when setting up an Investigation in Attack Detective.

Support and Troubleshooting

Investigation won't start

Check connection

Use the Check Connection feature of your Amazon Athena Data Plane configured on the SOC Prime Platform to see if the connection to Amazon Athena is operational.

If you see the Disconnected status after checking the connection, it may indicate that your access credentials are not valid or no longer valid. This may be related to access key rotation, expiration, or other reasons.

Check permissions

Check if you've granted the required permissions described in Set up Permissions for Attack Detective in Amazon IAM.

I have errors in query execution logs

Check the Athena Query Engine Version in use

Ensure that you are using the latest version of Athena Query Engine (currently it's v3).

To do it, go to Athena > Workgroups > Primary.

To change Athena Query Version, click Edit on this screen and select the desired engine version in the Query Engine version dropdown.

Ensure Compatibility with the Latest OCSF Version

The OCSF schema may be updated from time to time. We are doing our best to keep up our queries with the updates. Yet, in some cases it may take some time.

If you want to automatically modify all the executed queries according to a particular version of OCSF, you can set up a Custom Field Mapping profile.

Where Can I Find Query History in Athena

If you'd like to review the history of queries run by Attack Detective in your Amazon Athena, go to Query Editor and Select the Recent Queries tab.