How to improve your security incident response processes with

Customers face a number of challenges to quickly and effectively respond to a security event. To start, it can be difficult to standardize how to respond to a partic­ular security event, such as an Amazon GuardDuty finding. Additionally, silos can form with reliance on one security analyst who is designated to perform certain tasks, such as investigate all GuardDuty findings. Jupyter notebooks can help you address these challenges by simplifying both standardization and collaboration.
客户在快速有效地响应安全事件方面面临许多挑战。首先，很难标准化如何响应特定的安全事件，例如Amazon GuardDuty发现。此外，孤岛可能会依赖于一个指定执行某些任务的安全分析师，例如调查所有GuardDuty调查结果。通过简化标准化和协作，Flexyter笔记本电脑可以帮助您应对这些挑战。

Jupyter Notebook is an open-source, web-based application to run and document code. Although Jupyter notebooks are most frequently used for data science and machine learning, you can also use them to more efficiently and effectively investigate and respond to security events.
Apriyter Notebook是一个开源的、基于Web的应用程序，用于运行和记录代码。虽然Rightyter笔记本电脑最常用于数据科学和机器学习，但您也可以使用它们来更高效地调查和响应安全事件。

In this blog post, we will show you how to use Jupyter Notebook to investigate a security event. With this solution, you can automate the tasks of gathering data, presenting the data, and providing procedures and next steps for the findings.
在这篇博客文章中，我们将向您展示如何使用Google Notebook来调查安全事件。使用此解决方案，您可以自动执行收集数据、呈现数据以及提供调查结果的过程和后续步骤的任务。

Benefits of using Jupyter notebooks for security incident response
使用Quixyter笔记本电脑进行安全事件响应的好处

The following are some ways that you can use Jupyter notebooks for security incident response:
以下是您可以使用安全笔记本进行安全事件响应的一些方法：

• Develop readable code for analysts – Within a notebook, you can combine markdown text and code cells to improve readability. Analysts can read context around the code cell, run the code cell, and analyze the results within the notebook.
  为分析师开发可读代码-在笔记本中，您可以将markdown文本和代码单元格组合在一起以提高可读性。分析人员可以读取代码单元周围的上下文，运行代码单元，并在笔记本中分析结果。
• Standardize analysis and response – You can reuse notebooks after the initial creation. This makes it simpler for you to standardize your incident response processes for how to respond to a certain type of security event. Additionally, you can use notebooks to achieve repeatable responses. You can rerun an entire notebook or a specific cell.
  标准化分析和响应-您可以在初始创建后重用笔记本。这使您可以更轻松地标准化事件响应流程，以确定如何响应特定类型的安全事件。此外，您可以使用笔记本电脑来实现可重复的响应。您可以选择整个笔记本或特定单元格。
• Collaborate and share incident response knowledge – After you create a Jupyter notebook, you can share it with peers to more seamlessly collaborate and share knowledge, which helps reduce silos and reliance on certain analysts.
  协作和共享事件响应知识-在您创建了一个Xueyter笔记本后，您可以将其与同行共享，以更无缝地协作和共享知识，这有助于减少孤岛和对某些分析师的依赖。
• Iterate on your incident response playbooks – Developing a security incident response program involves continuous iteration. With Jupyter notebooks, you can start small and iterate on what you have developed. You can keep Jupyter notebooks under source code control by using services such as AWS CodeCommit. This allows you to approve and track changes to your notebooks.
  迭代事件响应剧本-开发安全事件响应程序需要不断迭代。有了Yutter笔记本，你可以从小处开始，然后在你已经开发的基础上进行扩展。您可以通过使用AWS CodeCommit等服务来将Xueyter Notebook保持在源代码控制之下。这允许您批准和跟踪对笔记本的更改。

Architecture overview 体系结构概述

Figure 1: Architecture for incident response analysis
图1：事件响应分析的体系结构

The architecture shown in Figure 1 consists of the foundational services required to analyze and contain security incidents on AWS. You create and access the playbooks through the Jupyter console that is hosted on Amazon SageMaker. Within the playbooks, you run several Amazon Athena queries against AWS CloudTrail logs hosted in Amazon Simple Storage Service (Amazon S3).
图1所示的架构由分析和控制AWS上的安全事件所需的基础服务组成。您可以通过托管在Amazon SageMaker上的Microsoft Yter控制台创建和访问行动手册。在行动手册中，您可以针对Amazon Simple Storage Service（Amazon S3）中托管的AWS CloudTrail日志运行多个Amazon Athena查询。

Solution implementation 解决方案实施

To deploy the solution, you will complete the following steps:
要部署解决方案，您需要完成以下步骤：

1. Deploy a SageMaker notebook instance
   部署SageMaker笔记本实例
2. Create an Athena table for your CloudTrail trail
   为CloudTrail路径创建Athena表
3. Grant AWS Lake Formation access
   授予AWS Lake Formation访问权限
4. Access the Credential Compromise playbooks by using JupyterLab
   通过使用安全测试实验室访问凭据妥协行动手册

Step 1: Deploy a SageMaker notebook instance
步骤1：部署SageMaker笔记本实例

You will host your Jupyter notebooks on a SageMaker notebook instance. We chose to use SageMaker instead of running the notebooks locally because SageMaker provides flexible compute, seamless integration with CodeCommit and GitHub, temporary credentials through AWS Identity and Access Management (IAM) roles, and lower latency for Athena queries.
您将在SageMaker笔记本实例上托管您的Xueyter笔记本。我们选择使用SageMaker而不是在本地运行笔记本，因为SageMaker提供灵活的计算、与CodeCommit和GitHub的无缝集成、通过AWS身份和访问管理（IAM）角色提供临时凭据，以及降低Athena查询的延迟。

You can deploy the SageMaker notebook instance by using the AWS CloudFormation template from our jupyter-notebook-for-incident-response GitHub repository. We recommend that you deploy SageMaker in your security tooling account or an equivalent.
您可以使用我们的jupyter-notebook-for-incident-response GitHub存储库中的AWS CloudFormation模板来部署SageMaker notebook实例。我们建议您在安全工具帐户或等效帐户中部署SageMaker。

The CloudFormation template deploys the following resources:
CloudFormation模板部署以下资源：

• A SageMaker notebook instance to run the analysis notebooks. Because this is a proof of concept (POC), the deployed SageMaker instance is the smallest instance type available. However, within an enterprise environment, you will likely need a larger instance type.
  一个SageMaker笔记本实例，用于运行分析笔记本。由于这是概念验证（POC），因此部署的SageMaker实例是可用的最小实例类型。但是，在企业环境中，您可能需要更大的实例类型。
• An AWS Key Management Service (AWS KMS) key to encrypt the SageMaker notebook instance and protect sensitive data.
  AWS密钥管理服务（AWS KMS）密钥，用于加密SageMaker笔记本实例并保护敏感数据。
• An IAM role that grants the SageMaker notebook permissions to query CloudTrail, VPC Flow Logs, and other log sources.
  一个IAM角色，赠款SageMaker笔记本查询CloudTrail、VPC Flow日志和其他日志源的权限。
• An IAM role that allows access to the pre-signed URL of the SageMaker notebook from only an allowlisted IP range.
  一个IAM角色，仅允许从允许的IP范围访问SageMaker笔记本的预签名URL。
• A VPC configured for SageMaker with an internet gateway, NAT gateway, and VPC endpoints to access required AWS services securely. The internet gateway and NAT gateway provide internet access to install external packages.
  为SageMaker配置的VPC，具有Internet网关、NAT网关和VPC端点，可安全地访问所需的AWS服务。Internet网关和NAT网关提供Internet访问以安装外部软件包。
• An S3 bucket to store results for your Athena log queries—you will reference the S3 bucket in the next step.
  存储Athena日志查询结果的S3存储桶-您将在下一步中引用S3存储桶。

Step 2: Create an Athena table for your CloudTrail trail
步骤2：为CloudTrail路径创建Athena表

The solution uses Athena to query CloudTrail logs, so you need to create an Athena table for CloudTrail.
该解决方案使用Athena查询CloudTrail日志，因此您需要为CloudTrail创建Athena表。

There are two main ways to create an Athena table for CloudTrail:
为CloudTrail创建Athena表有两种主要方法：

• Use the AWS Security Analytics Bootstrap – We highly recommend that you use the AWS Security Analytics Bootstrap because you can use it to perform security investigations on different types of AWS service logs. Additionally, if you are using AWS Organizations and have a log archive account, then you can use the bootstrap to create a table so that you can query logs from your AWS accounts. To get the CloudFormation template for the bootstrap, see Athena_infra_setup.yml.
  使用AWS Security Analytics Bootstrap -我们强烈建议您使用AWS Security Analytics Bootstrap，因为您可以使用它对不同类型的AWS服务日志执行安全调查。此外，如果您正在使用AWS组织并拥有日志存档帐户，则可以使用引导程序创建表，以便可以从AWS帐户查询日志。要获取引导程序的CloudFormation模板，请参阅Athena_infra_setup. yml。
• Use the CloudTrail console – For instructions, see Using the CloudTrail console to create an Athena table for CloudTrail logs. One advantage of this approach is that it is quicker to set up.
  使用CloudTrail控制台-有关说明，请参阅使用CloudTrail控制台为CloudTrail日志创建Athena表。这种方法的一个优点是设置更快。

For either of these methods to create an Athena table, you need to provide the URI of an S3 bucket. For this blog post, use the URI of the S3 bucket that the CloudFormation template created in Step 1. To find the URI of the S3 bucket, see the Output section of the CloudFormation stack.
对于创建Athena表的这两种方法中的任何一种，都需要提供S3 bucket的URI。对于这篇博客文章，使用CloudFormation模板在步骤1中创建的S3存储桶的URI。要查找S3 bucket的URI，请参阅CloudFormation堆栈的Output部分。

Step 3: Grant AWS Lake Formation access
步骤3：授予AWS Lake Formation访问权限

If you don’t use AWS Lake Formation in your AWS environment, skip to Step 4. Otherwise, continue with the following instructions. Lake Formation is how data access control for your Athena tables is managed.
如果您未在AWS环境中使用AWS Lake Formation，请跳到步骤4。否则，请继续执行以下说明。Lake Formation是管理Athena表的数据访问控制的方式。

To grant permission to the Security Log database
授予对安全日志数据库的权限

1. Open the Lake Formation console.
   打开Lake Formation控制台。
2. Select the database that you created in Step 2 for your security logs. If you used the Security Analytics Bootstrap, then the table name is either security_analysis or a custom name that you provided—you can find the name in the CloudFormation stack. If you created the Athena table by using the CloudTrail console, then the database is named default.
   选择在步骤2中为安全日志创建的数据库。如果您使用了Security Analytics引导程序，则表名为security_analysis或您提供的自定义名称-您可以在CloudFormation堆栈中找到该名称。如果使用CloudTrail控制台创建Athena表，则数据库将命名为default。
3. From the Actions dropdown, select Grant.
   从“操作”选项卡中，选择“授予”。
4. In Grant data permissions, select IAM users and roles.
   在授予数据权限中，选择IAM用户和角色。
5. Find the IAM role used by the SageMaker Notebook instance.
   查找SageMaker Notebook实例使用的IAM角色。
6. In Database permissions, select Describe and then Grant.
   在数据库权限中，选择描述，然后选择授予。

To grant permission to the Security Log CloudTrail table
授予对安全日志CloudTrail表的权限

1. Open the Lake Formation console.
   打开Lake Formation控制台。
2. Select the database that you created in Step 2.
   选择在步骤2中创建的数据库。
3. Choose View Tables. 选择查看表。
4. Select CloudTrail. If you created VPC flow log and DNS log tables, select those, too.
   选择CloudTrail。如果您创建了VPC流日志和DNS日志表，也请选择这些。
5. From the Actions dropdown, select Grant.
   从“操作”选项卡中，选择“授予”。
6. In Grant data permissions, select IAM users and roles.
   在授予数据权限中，选择IAM用户和角色。
7. Find the IAM role used by the SageMaker notebook instance.
   查找SageMaker notebook实例使用的IAM角色。
8. In Table permissions, select Describe and then Grant.
   在表权限中，选择描述，然后选择授予。

Step 4: Access the Credential Compromise playbooks by using JupyterLab
步骤4：使用MyMysterLab访问凭据妥协行动手册

The CloudFormation template clones the jupyter-notebook-for-incident-response GitHub repo into your Jupyter workspace.
CloudFormation模板将jupyter-notebook-for-incident-response GitHub存储库克隆到您的Jupyter工作区中。

You can access JupyterLab hosted on your SageMaker notebook instance by following the steps in the Access Notebook Instances documentation.
您可以按照Access Notebook实例文档中的步骤访问托管在SageMaker Notebook实例上的ApplyterLab。

Your folder structure should match that shown in Figure 2. The parent folder should be jupyter-notebook-for-incident-response, and the child folders should be playbooks and cfn-templates.
您的文件夹结构应该与图2所示的结构相匹配。父文件夹应该是jupyter-notebook-for-incident-response，子文件夹应该是playbooks和cfn-templates。

Figure 2: Folder structure after GitHub repo is cloned to the environment
图2：将GitHub repo克隆到环境后的文件夹结构

Sample investigation of a spike in failed login attempts
对登录尝试失败率激增的抽样调查

In the following sections, you will use the Jupyter notebook that we created to investigate a scenario where failed login attempts have spiked. We designed this notebook to guide you through the process of gathering more information about the spike.
在下面的部分中，您将使用我们创建的Applyter笔记本来研究失败登录尝试激增的场景。我们设计了这个笔记本来指导您完成收集有关尖峰的更多信息的过程。

We discuss the important components of these notebooks so that you can use the framework to create your own playbooks. We encourage you to build on top of the playbook, and add additional queries and steps in the playbook to customize it for your organization’s specific business and security goals.
我们将讨论这些笔记本的重要组件，以便您可以使用该框架创建自己的剧本。我们鼓励您在行动手册的基础上进行构建，并在行动手册中添加其他查询和步骤，以根据组织的特定业务和安全目标对其进行自定义。

For this blog post, we will focus primarily on the analysis phase of incident response and walk you through how you can use Jupyter notebooks to help with this phase.
在这篇博客文章中，我们将主要关注事件响应的分析阶段，并向您介绍如何使用Quixyter Notebook来帮助您完成这一阶段。

Before you get started with the following steps, open the credential-compromise-analysis.ipynb notebook in your JupyterLab environment.
在开始执行以下步骤之前，请在您的MyMyterLab环境中打开credential-compromise-analysis.ipynb笔记本。

How to import Python libraries and set environment variables
如何导入Python库并设置环境变量

The notebooks require that you have the following Python libraries:
笔记本需要你有以下Python库：

• Boto3 – to interact with AWS services through API calls
  Boto 3-通过API调用与AWS服务交互
• Pandas – to visualize the data
  Pandas -可视化数据
• PyAthena – to simplify the code to connect to Athena
  PyAthena -简化连接Athena的代码

To install the required Python libraries, in the Setup section of the notebook, under Load libraries, edit the variables in the two code cells as follows:
要安装所需的Python库，请在notebook的Setup部分的Load libraries下，编辑两个代码单元格中的变量，如下所示：

• region – specify the AWS Region that you want your AWS API commands to run in (for example, us-east-1).
  region -指定希望AWS API命令在其中运行的AWS区域（例如，us-east-1）。
• athena_bucket – specify the S3 bucket URI that is configured to store your Athena queries. You can find this information at Athena > Query Editor > Settings > Query result location.
  athena_bucket -指定用于存储Athena查询的S3存储桶URI。您可以在Athena >查询编辑器>设置>查询结果位置找到此信息。
• db_name – specify the database used by Athena that contains your Athena table for CloudTrail.
  db_name -指定Athena使用的数据库，其中包含用于CloudTrail的Athena表。

Figure 3: Load the Python libraries in the notebook
图3：在notebook中加载Python库

This helps ensure that subsequent code cells that run are configured to run in your environment.
这有助于确保后续运行的代码单元被配置为在您的环境中运行。

Run each code cell by choosing the cell and pressing SHIFT+ENTER or by choosing the play button (▶) in the toolbar at the top of the console.
通过选择单元格并按下“回车”+“回车”或通过选择控制台顶部工具栏中的“播放”按钮（“播放”）来运行每个代码单元格。

How to set up the helper function for Athena
如何设置Athena的helper函数

The Python query_results function, shown in the following figure, helps you query Athena tables. Run this code cell. You will use the query_results function later in the 2.0 IAM Investigation section of the notebook.
Python query_results函数（如下图所示）可帮助您查询Athena表。运行这个代码单元。您稍后将在笔记本的2.0 IAM调查部分使用query_results函数。

Figure 4: Code cell for the helper function to query with Athena
图4：使用Athena查询的helper函数的代码单元

Credential Compromise Analysis Notebook
凭证泄露分析笔记本

The credential-compromise-analysis.ipynb notebook includes several prebuilt queries to help you start your investigation of a potentially compromised credential. In this post, we discuss three of these queries:
credential-compromise-analysis.ipynb notebook包含几个预构建的查询，可帮助您开始调查可能受损的凭据。在这篇文章中，我们将讨论其中的三个问题：

• The first query provides a broad view by retrieving the CloudTrail events related to authorization failures. By reviewing these results, you get baseline information about where users and roles are attempting to access resources or take actions without having the proper permissions.
  第一个查询通过检索与授权失败相关的CloudTrail事件提供了一个广泛的视图。通过查看这些结果，您可以获得有关用户和角色在没有适当权限的情况下尝试访问资源或执行操作的基准信息。
• The second query narrows the focus by identifying the top five IAM entities (such as users, roles, and identities) that are causing most of the authorization failures. Frequent failures from specific entities often indicate that their credentials are compromised.
  第二个查询通过确定导致大多数授权失败的前五个IAM实体（例如用户、角色和身份）来缩小关注范围。来自特定实体的频繁失败通常表明其凭据受到损害。
• The third query zooms in on one of the suspicious entities from the previous query. It retrieves API activity and events initiated by that entity across AWS services or resource. Analyzing actions performed by a suspicious entity can reveal if valid permissions are being misused or if the entity is systematically trying to access resources it doesn’t have access to.
  第三个查询放大来自前一个查询的可疑实体之一。它检索由该实体跨AWS服务或资源发起的API活动和事件。分析可疑实体执行的操作可以揭示有效权限是否被滥用，或者该实体是否系统性地试图访问它无权访问的资源。

Investigate authorization failures
调查授权失败

The notebook has markdown cells that provide a description of the expected result of the query. The next cell contains the query statement. The final cell calls the query_result function to run your query by using Athena and display your results in tabular format.
该笔记本具有markdown单元格，用于提供查询预期结果的描述。下一个单元格包含查询语句。最后一个单元格调用query_result函数，使用Athena运行查询，并以表格格式显示结果。

In query 2.1, you query for specific error codes such as AccessDenied, and filter for anything that is an IAM entity by looking for useridentity.arn like ‘%iam%’. The notebook orders the entries by eventTime. If you want to look for specific IAM Identity Center entities, update the query to filter by useridentity.sessioncontext.sessionissuer.arn like ‘%sso.amazonaws.com%’.
在查询2.1中，您查询特定的错误代码（如拒绝验证），并通过查找useridentity.arn（如'%iam %'）来筛选任何IAM实体。notebook按eventTime对条目进行排序。如果要查找特定的IAM Identity Center实体，请更新查询以按useridentity.sessioncontext.sessionissuer.arn（如“%sso.amazonaws.com %”）进行筛选。

This query retrieves a list of failed API calls to AWS services. From this list, you can gain additional insight into the context surrounding the spike in failed login attempts.
此查询检索对AWS服务的失败API调用的列表。从这个列表中，您可以进一步深入了解失败登录尝试高峰的背景。

When you investigate denied API access requests, carefully examine details such as the user identity, timestamp, source IP address, and other metadata. This information helps you determine if the event is a legitimate threat or a false positive. Here are some specific questions to ask:
在调查被拒绝的API访问请求时，请仔细检查用户身份、时间戳、源IP地址和其他元数据等详细信息。此信息可帮助您确定事件是合法威胁还是误报。以下是一些具体的问题：

• Does the IP address originate from within your network, or is it external? Internal addresses might be less concerning.
  IP地址来自您的网络内部还是外部？内部地址可能不太重要。
• Is the access attempt occurring during normal working hours for that user? Requests outside of normal times might warrant more scrutiny.
  访问尝试是否发生在该用户的正常工作时间？正常时期以外的请求可能需要更多的审查。
• What resources or changes is the user trying to access or make? Attempts to modify sensitive data or systems might indicate malicious intent.
  用户试图访问或进行哪些资源或更改？试图修改敏感数据或系统可能表明恶意意图。

By thoroughly evaluating the context around denied API calls, you can more accurately assess the risk they pose and whether you need to take further action. You can use the specifics in the logs to go beyond just the fact that access was denied, and learn the story of who, when, and why.
通过彻底评估被拒绝的API调用的上下文，您可以更准确地评估它们构成的风险以及是否需要采取进一步的措施。您可以使用日志中的详细信息来超越访问被拒绝的事实，并了解谁、何时以及为什么被拒绝的故事。

As shown in the following figure, the queries in the notebook use the following structure.
如下图所示，笔记本中的查询使用以下结构。

1. Markdown cell to explain the purpose of the query (the query statement).
   Markdown单元格解释查询的目的（查询语句）。
2. Code cell to run the query and display the query results.
   对单元格进行编码以运行查询并显示查询结果。

In the figure, the first code cell that runs stores the input for the query statement. After that finishes, the next code block displays the query results.
在图中，运行的第一个代码单元存储查询语句的输入。完成后，下一个代码块将显示查询结果。

Figure 5: Run predefined Athena queries in JupyterLab
图5：在QueryterLab中运行预定义的Athena查询

Figure 6 shows the output of the query that you ran in the 2.1 Investigation Authorization Failures section. It contains critical details for understanding the context around a denied API call:
图6显示了您在2.1调查授权失败部分中运行的查询的输出。它包含了解被拒绝的API调用的上下文的关键细节：

• The eventtime field shows the date and time that the request was completed.
  eventtime字段显示请求完成的日期和时间。
• The useridentity field reveals which IAM identity made a request.
  useridentity字段显示哪个IAM身份发出了请求。
• The sourceipddress provides the IP address that the request was made from.
  源地址提供了发出请求的IP地址。
• The useragent shows which client or app was used to make the call.
  useragent显示使用哪个客户端或应用程序进行调用。

Figure 6: Results from the first investigative query
图6：第一次调查查询的结果

Figure 6 only shows a subset of the many details captured in CloudTrail logs. By scrolling to the right in the query output, you can view additional attributes that provide further context around the event. The CloudTrail record contents guide contains a comprehensive list of the fields included in the logs, along with descriptions of each attribute.
图6只显示了CloudTrail日志中捕获的许多详细信息的一个子集。通过在查询输出中向右滚动，您可以查看提供有关事件的更多上下文的其他属性。CloudTrail记录内容指南包含日志中包含的字段的全面列表，沿着每个属性的说明。

Often, you will need to search for more information to determine if remediation is necessary. For this reason, we have included additional queries to help you further examine the sequence of events leading up to the failed login attempt spike and after the spike occurred.
通常，您需要搜索更多信息以确定是否需要进行补救。出于这个原因，我们已经包含了额外的查询，以帮助您进一步检查导致失败的登录尝试尖峰以及尖峰发生后的事件序列。

Triaging suspicious entities (Queries 2.2 and 2.3)
对可疑实体进行分类（附件2.2和2.3）

By running the second and third queries you can dig deeper into anomalous authorization failures. As shown in Figure 7, Query 2.2 provides the top five IAM entities with the most frequent access denials. This highlights the specific users, roles, and identities causing the most failures, which indicates potentially compromised credentials.
通过运行第二个和第三个查询，您可以更深入地挖掘异常授权失败。如图7所示，查询2.2提供了访问拒绝最频繁的前五个IAM实体。这突出显示了导致最多故障的特定用户、角色和身份，这表明凭据可能已受损。

Query 2.3 takes the investigation further by isolating the activity from one suspicious entity. Retrieving the actions attempted by a single problematic user or role reveals useful context to determine if you need to revoke credentials. For example, is the entity probing resources that it shouldn’t have access to? Are there unusual API calls outside of normal hours? By scrutinizing an entity’s full history, you can make an informed decision on remediation.
查询2.3通过将活动与一个可疑实体隔离开来，进一步开展调查。检索单个有问题的用户或角色尝试的操作可以显示有用的上下文，以确定是否需要撤消凭据。例如，实体是否正在探测它不应该访问的资源？在正常时间以外是否有不寻常的API调用？通过仔细检查实体的完整历史记录，您可以在补救方面做出明智的决定。

Figure 7: Overview of queries 2.2 and 2.3
图7：查询2.2和2.3的概述

You can use these two queries together to triage authorization failures: query 2 identifies high-risk entities, and query 3 gathers intelligence to drive your response. This progression from a macro view to a micro view is crucial for transforming signals into action.
您可以一起使用这两个查询来分类授权失败：查询2识别高风险实体，查询3收集情报以推动您的响应。这种从宏观到微观的发展对于将信号转化为行动至关重要。

Although log analysis relies on automation and queries to facilitate insights, human judgment is essential to interpret these signals and determine the appropriate response. You should discuss flagged events with stakeholders and resource owners to benefit from their domain expertise. You can export the results of your analysis by exporting your Jupyter notebook.
虽然日志分析依赖于自动化和查询来促进洞察，但人类判断对于解释这些信号并确定适当的响应至关重要。您应该与利益相关者和资源所有者讨论标记的事件，以从他们的领域专业知识中获益。您可以通过导出您的分析笔记本来导出分析结果。

By collaborating with other people, you can gather contextual clues that might not be captured in the raw data. For example, an owner might confirm that a suspicious login time is expected for users in a certain time zone. By pairing automated detection with human perspectives, you can accurately assess risk and decide if credential revocation or other remediation is truly warranted. Uptime or downtime technical issues alone can’t dictate if remediation is necessary—the human element provides pivotal context.
通过与其他人合作，您可以收集原始数据中可能无法捕获的上下文线索。例如，所有者可能会确认某个时区的用户预期会出现可疑的登录时间。通过将自动检测与人工视角相结合，您可以准确地评估风险，并决定是否确实需要撤销凭据或采取其他补救措施。正常运行时间或停机时间技术问题本身不能决定是否需要补救-人为因素提供了关键的背景。

Build your own queries
构建您自己的查询

In addition to the existing queries, you can run your own queries and include them in your copy of the Credential-compromise-analysis.ipynb notebook. The AWS Security Analytics Bootstrap contains a library of common Athena queries for CloudTrail. We recommend that you review these queries before you start to build your own queries. The key takeaway is that these notebooks are highly customizable. You can use the Jupyter Notebook application to help meet the specific incident response requirements of your organization.
除了现有的查询之外，您还可以运行自己的查询，并将其包含在Credential-compromise-analysis.ipynb笔记本的副本中。AWS Security Analytics Bootstrap包含CloudTrail的常见Athena查询库。我们建议您在开始构建自己的查询之前查看这些查询。关键是这些笔记本电脑是高度可定制的。您可以使用Quixyter Notebook应用程序来帮助满足组织的特定事件响应要求。

Contain compromised IAM entities
包含受损的IAM实体

If the investigation reveals that a compromised IAM entity requires containment, follow these steps to revoke access:
如果调查显示受感染的IAM实体需要遏制，请按照以下步骤撤销访问权限：

• For federated users, revoke their active AWS sessions according to the guidance in How to revoke federated users’ active AWS sessions. This uses IAM policies and AWS Organizations service control policies (SCPs) to revoke access to assumed roles.
  对于联合用户，请根据如何撤销联合用户的活动AWS会话中的指南撤销其活动AWS会话。这将使用IAM策略和AWS Organizations服务控制策略（SCP）来撤销对假定角色的访问权限。
• Avoid using long-lived IAM credentials such as access keys. Instead, use temporary credentials through IAM roles. However, if you detect a compromised access key, immediately rotate or deactivate it by following the guidance in What to Do If You Inadvertently Expose an AWS Access Key. Review the permissions granted to the compromised IAM entity and consider if these permissions should be reduced after access is restored. Overly permissive policies might have enabled broader access for the threat actor.
  避免使用长期的IAM凭证，如访问密钥。而是通过IAM角色使用临时凭据。但是，如果您检测到受损的访问密钥，请立即按照意外暴露AWS访问密钥时该怎么办中的指导进行轮换或停用。检查授予受损IAM实体的权限，并考虑在恢复访问后是否应减少这些权限。过于宽松的政策可能会使威胁行为者获得更广泛的机会。

Going forward, implement least privilege access and monitor authorization activity to detect suspicious behavior. By quickly containing compromised entities and proactively improving IAM hygiene, you can minimize the adversaries’ access duration and prevent further unauthorized access.
接下来，实施最低权限访问并监控授权活动以检测可疑行为。通过快速遏制受感染的实体并主动改善IAM卫生状况，您可以最大限度地缩短攻击者的访问持续时间并防止进一步的未经授权访问。

Additional considerations
额外考虑

In addition to querying CloudTrail, you can use Athena to query other logs, such as VPC Flow Logs and Amazon Route 53 DNS logs. You can also use Amazon Security Lake, which is generally available, to automatically centralize security data from AWS environments, SaaS providers, on-premises environments, and cloud sources into a purpose-built data lake stored in your account. To better understand which logs to collect and analyze as part of your incident response process, see Logging strategies for security incident response.
除了查询CloudTrail，您还可以使用Athena查询其他日志，例如VPC Flow DNS和Amazon Route 53 DNS日志。您还可以使用Amazon Security Lake（通常可用）自动将来自AWS环境、SaaS提供商、本地环境和云资源的安全数据集中到存储在您帐户中的专用数据湖中。要更好地了解作为事件响应流程的一部分要收集和分析哪些日志，请参阅安全事件响应的日志记录策略。

We recommended that you understand the playbook implementation described in this blog post before you expand the scope of your incident response solution. The running of queries and automation of containment are two elements to consider as you think about the next steps to evolve your incident response processes.
我们建议您在扩展事件响应解决方案的范围之前，先了解这篇博客文章中描述的playbook实现。当您考虑改进事件响应流程的后续步骤时，查询的运行和遏制的自动化是需要考虑的两个因素。

Conclusion 结论

In this blog post, we showed how you can use Jupyter notebooks to simplify and standardize your incident response processes. You reviewed how to respond to a potential credential compromise incident using a Jupyter notebook style playbook. You also saw how this helps reduce the time to resolution and standardize the analysis and response. Finally, we presented several artifacts and recommendations showing how you can tailor this solution to meet your organization’s specific security needs. You can use this framework to evolve your incident response process.
在这篇博客文章中，我们展示了如何使用Quixyter Notebook来简化和标准化事件响应流程。您回顾了如何使用一个Xuyter笔记本风格的剧本来响应潜在的凭据泄露事件。您还看到了这如何帮助缩短解决问题的时间并使分析和响应标准化。最后，我们提出了几个工件和建议，展示了如何定制此解决方案以满足组织的特定安全需求。您可以使用此框架来改进事件响应流程。

Further resources 更多资源

• AWS Security Incident Response Guide
  AWS安全事件响应指南
• Jupyter-notebook-for-incident-response Github repo
  事件响应的日志记录Github repo
• JupyterLab interface XueyterLab接口
• Jupyter Notebook cheat sheet
  Xuyter Notebook cheat sheet
• Logging strategies for security incident response
  安全事件响应的日志记录策略
• Generate machine learning insights for Amazon Security Lake data using Amazon SageMaker
  使用Amazon SageMaker为Amazon Security Lake数据生成机器学习见解

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on AWS re:Post or contact AWS Support.
如果你对这篇文章有反馈，请在下面的评论部分提交评论。如果您对此文章有任何疑问，请在AWS re：Post上启动新线程或联系AWS支持。