In today’s detection landscape, defenders are overwhelmed by pre-canned dashboards and visualizations that are often aesthetically pleasing but lack actionable insight. While triaging suspicious activity, it is not often that these tools succinctly answer the core question: Is this identity compromised?

Additionally, in today’s world of interlinked data sources—on-prem, multi-cloud tenants, IdP, numerous SaaS applications—even searching for known-suspect IOCs is a challenge given differing and ever-changing log structures. Normalization of these key values is a crucial but tedious process that grows in complexity with each new data integration (even with each update of existing integrations!).

While the Detection Engineering team at Permiso has developed this normalization and multi-layered behavioral detections across dozens of integrations’ runtime logs in the Permiso Identity Security Platform, we are excited to share a smaller-scale version of some of these normalization efforts to assist security teams with tightly-scoped investigations.

Introducing P0LR Espresso (P0 Labs Live Response), a brand new open-source tool that, like espresso, quickly pulls cold and direct shots of helpful context in the high-pressure Priority-0 Live Response process common to every DFIR analyst. This framework normalizes key values from input logs, tamps them into an analytical "portafilter” and extracts a strong stream of behavioral and statistical insights using meaningful and clear visualizations. Its normalization of fields in event logs originating from multiple cloud integrations enables defenders to shift their time from trying to understand each integration’s structure to focusing on understanding the story of what happened in the timeline of activity contained in the logs.

Problem: Diverse Cloud Log Formats

At Permiso, we integrate with dozens of cloud-based data sources produced by different companies and products. This diversity translates to different log formats, fluctuating levels of granularity and even inconsistencies between distinct versions of the same company’s logs. Understanding these differences and mapping or normalizing similar fields becomes vital for defenders attempting to efficiently investigate activity spanning multiple integrations.

The following simple example illustrates some of these differences by showing the mapping between similar concepts represented by different property names for the creation of a role in AWS and GCP:

Figure 1: Example of log property name mappings between AWS and GCP for role creation event

Manually normalizing these values every time the data is queried significantly complicates defenders’ query logic during investigations or detection pipelines and introduces redundant transformations every time the data is queried. The normalized versions of the above example’s values can be seen below as the more generic Identity, Action, IP Address and User Agent properties:

1. Identity
   • AWS: principalId or arn
   • GCP: protoPayload.authenticationInfo.principalEmail or protoPayload.authenticationInfo.principalSubject
2. Action
   • AWS: eventName
   • GCP: protoPayload.methodName
3. IP Address
   • AWS: sourceIPAddress
   • GCP: protoPayload.requestMetadata.callerllerIp
4. User Agent
   • AWS: userAgent
   • GCP: protoPayload.requestMetadata.callerSuppliedUserAgent

This problem of property name differences exists between most integrations, even between different products owned by the same company. The addition of each new integration first involves data exploration and mapping of these concepts to their generic normalized property names.

Figure 2: Table showing log property name differences in several common cloud, identity and SaaS integrations

Permiso’s approach involves normalizing these properties once during ingestion, transforming raw logs into a common language for all downstream exploration and detection development. This enables simplified searching for specific property values (i.e. IP Address) across numerous integrations. Additionally this normalization enables more efficient baselining of similar concepts, like historical counting of Action values for a specific identity across disparate integrations.

Having this common data model also simplifies the cognitive load for defenders searching through raw logs (augmented with these normalized properties) since repeated extraction of easily forgotten mappings is no longer required for each integration.

Solution

P0LR Espresso introduces an extensible approach to normalizing runtime log data across multiple cloud integrations — including SaaS, PaaS, and IdP platforms — for all ingested logs in specific scoping and investigation scenarios. The common schema produced by this normalization process enables threat hunters and detection engineers to shift focus from on-the-fly property mappings to simply identifying the general patterns of noteworthy activity.

This tool dramatically improves the ability to track and investigate an identity’s behavior across environments, empowering defenders to identify anomalies, behavior shifts and potential compromises far more efficiently.

Main Page Overview

The main page of P0LR Espresso offers three (3) different sections:

1. Event List - Detailed View - Timeline of normalized events to which several aggregations can be easily applied, grouped by IP, User or Action. Counts and names of potential IOC matches can also be found for each event.
2. IOCs - List of distinct pre-built and custom IOCs with quick-view metadata detailing number of matching Events, Users, IPs, Actions and Services for each IOC. Custom IOCs (integration-specific and universal) can be added in the UI and stored persistently in the ioc folder for all future invocations of the P0LR Espresso framework.
3. Identity Activity Analysis - Visualizations displaying event counts per identity over time with optional time range filters and time bin granularity settings. These visualizations assist defenders in quickly identifying unexpected spikes of activity or uncommon identity activity outside normal timelines of activity.
   
   Figure 3: TP0LR Espresso main analysis page
   

   IOC Details

   Clicking View Details in any IOC displays more metadata about the frequency and diversity of numerous values in the matching events including distinct and actual value-count pairs of Users, IP Addresses, Actions and Services values.

   
   
   

    

   
   
   Figure 4: P0LR Espresso IOC Details page
   
   Additional features such as custom IOC creation and normalized search capabilities are detailed in the project’s README.

Conclusion

Permiso Security invests significant research and engineering efforts into normalizing common data concepts across dozens of disparate data sources. Normalizing during the initial ingestion of runtime events greatly simplifies all downstream log analysis, whether manual investigations or additional automated detection evaluation.

While P0LR Espresso is designed to highlight some of these capabilities on a small scale of targeted data, the Permiso Identity Security Platform runs much more complete normalizations and multi-layer vulnerability and detection logic against all runtime events in our customers’ integrations.

You can access P0LR Espresso on GitHub: https://github.com/Permiso-io-tools/p0lr-espresso