A Crash Course in Audit Logs

00:00

so my name is Justin Massey I'm a

00:01

product manager for data dog

00:03

and rather than dive into the demo the

00:06

data dog product or talked too much

00:07

about it we have a sponsor booth for

00:09

that you can check out that but let's

00:11

dive deep into audit logs I work on our

00:15

threats about threat detection product

00:17

and I I work with a lot of our customers

00:20

I looked to them about their application

00:22

logs and best practices and I've worked

00:25

on many different environments before

00:28

and the application logs always seem to

00:30

be lacking some information so one thing

00:33

we want to do with these application

00:35

logs is we want to do analytics on them

00:36

and analytics we have like our analytics

00:40

on the right-hand side and our actual

00:42

logs on the left-hand side now these are

00:44

all of our authentication events so

00:46

imagine you wanted to detect a an

00:51

outlier and you see that this outlier

00:53

this user admin has more is it has more

00:57

failed logins than the rest if you

00:59

wanted to drill down to this specific

01:01

user you want to be able to ask

01:03

questions about that why and you may

01:06

want to drill down to a specific IP

01:08

address and you want to take a look at

01:09

that now you want to you you've now

01:12

quickly drilled down you can see all of

01:13

this information regarding this specific

01:17

audit blog but first to get here you

01:19

have to have your audit logs in a good

01:21

condition the next thing you want to do

01:24

on these audit logs is you want to do

01:26

threat detection on them you're going to

01:28

want to look at they sim audit logs and

01:30

ensure for this example you may be

01:34

wanting to detect it like a potential

01:35

potential brute-force attack now another

01:39

thing that you use your audit logs for

01:42

is customers ask for them and then when

01:45

they're asking for them it's typically

01:47

not at a good situation your audit the

01:49

customers are asking for those auto logs

01:51

because something else in the

01:52

environment is going going on maybe they

01:55

have a security incident and they are

01:56

investigating so you want to be able to

01:58

return these audit logs in a quick

02:00

manner next after the customers ask for

02:04

them they're going to ask you to delete

02:05

them so this is the right to be

02:07

forgotten so you want your audit logs in

02:10

a good format where you can quickly

02:12

delete

02:13

when the customers have requested that

02:16

so yes what's the problem well I've

02:21

logged into many different applications

02:25

when I'm starting a new job and I've

02:26

taken a look at our application logs and

02:28

something like this happens you see John

02:31

Doe logs in and it doesn't necessarily

02:33

say what IP address it was from the next

02:37

one is a login from that's likely

02:39

addressed but what user just did it then

02:42

you have password reset was cents it to

02:44

who you're not answering all the

02:46

questions here and even though that this

02:48

John Doe logged in and this failed login

02:51

these proposed the communication events

02:53

where the outcome may have been

02:54

successful or unsuccessful there are

02:56

very similar logs but you're not showing

02:59

that and it's going to be very hard to

03:02

present this in an analytical way or

03:05

search for these logs once they're

03:08

stored so if you want to do things like

03:11

show your top audit logs you need a

03:14

better format so how do we talk to

03:17

developers about these audit logs what

03:20

what can we suggest well I'm gonna pose

03:23

some very very very basic questions we

03:25

want to know who is doing something

03:27

typically this is a user what is that

03:31

user doing where is that occurring from

03:34

maybe that's what an IP address when did

03:38

it occur

03:39

why so you may don't always be able to

03:43

answer the question of why why did John

03:44

do login I don't know but if your audit

03:47

logs said we lock this user out because

03:51

the user failed to login five times

03:54

that's your reason why but you may not

03:56

have a Y for every single log so we take

03:59

this example log we have the timestamp

04:02

John Doe logged in from 1.2.3.4 with

04:06

OAuth so this gives us a little bit more

04:09

information it asks it answers all of

04:10

those questions however your developers

04:14

may have done this for OAuth but for

04:16

something like sam'l the format may have

04:18

changed even though the login was still

04:21

a login it was just a different type so

04:23

being able to search these it makes it

04:25

very difficult

04:26

so I'm gonna pose that we use a little

04:29

bit more structured format what if we

04:31

said user equals John Doe and we've used

04:34

the equal as a delimiter and we've put

04:37

quotations around that users name and

04:40

we've said that the event is an

04:42

authentication event the outcome of that

04:44

event was successful so we answered to

04:47

what questions here what was the event

04:49

and what was the outcome now we have an

04:52

IP address where they logged in from the

04:55

type of authentication and the type type

04:58

people's on it we've appended this audit

05:00

so that we can quickly search to search

05:02

and filter down to all of our audit

05:03

events now a machine can easily read

05:07

this you're seeing this imagine if you

05:11

had a grok parser or some sort of reg X

05:16

you can quickly filter down these key

05:18

value pairs and you get something that

05:19

looks like this user John Doe event and

05:22

then you can see how much easier it is

05:25

to gather that information about what

05:27

the specific event was and graph this

05:30

and display this and whatever way you're

05:33

doing your log management now how do you

05:36

get there

05:38

you want some sort of central audit log

05:40

function this is a very basic function

05:43

[Music]

05:44

pseudocode looks something like python

05:48

it takes in a couple of different

05:50

attributes it would take in the request

05:52

object the event and the outcome now

05:56

you'll see that the first thing I do in

05:58

the outcome is I put it allow list here

06:01

for success in failure and the success

06:04

and failure I do this because there's

06:06

many different ways to say success you

06:08

can say success successful or failure

06:11

you can say fail failed failure that

06:13

there's a lot of different ways to say

06:15

this so we just put a little allow list

06:16

here and require that they are in this

06:19

list the next thing we do is we put it

06:23

in that exact format and we're gonna let

06:25

the let the logger handle the timestamp

06:28

format so once you have this centralized

06:32

audit function I want you to monitor it

06:34

and what I mean by monitor is if there

06:37

are changes to this file maybe this is

06:39

just in like

06:40

if this was like say it's like lager pie

06:42

if there's ever a change to this file

06:45

you should know so whether that's

06:47

setting a code owners file in github or

06:49

having something in a CI check please

06:52

monitor make sure that it's when it has

06:55

changed

06:56

you are aware of that change so a couple

07:00

things to keep in mind when you're

07:03

talking about users may be you may be

07:05

asking the question you know was this

07:07

request from an API key or was it from a

07:09

browser session or what happens if the

07:12

user has five API keys and I need to one

07:16

of these API keys is compromised so I

07:19

need to know which one was the one

07:20

making the request so you should take us

07:24

in mind when adding this into your log

07:26

file next thing I want to talk about is

07:29

IP issues I've seen many many logs where

07:32

they are in the wrong where they're

07:34

logging the wrong IP address and

07:36

typically this happens in HTTP logs due

07:38

to the improper use of x-forwarded-for

07:40

headers you take a look at this if John

07:43

Doe makes a request to a web application

07:46

through a load balancer you may be

07:49

getting the IP address of the load

07:52

balancer and logging that into your

07:54

application looks that is not good that

07:56

is not what you want you want the

07:59

original IP address of John Doe so

08:03

please please please make sure if your

08:06

web application should only be external

08:07

to external applications maybe you can

08:09

make sure that the IP address matches an

08:14

external IP address format next thing I

08:17

want to talk about are joints if you

08:20

take that same scenario where you have a

08:21

load balancer in a web application you

08:24

may want to gather other information

08:26

from that initial request in your web

08:28

application log you may not have the

08:30

user agent but you want to know that

08:32

user agent information how do you gather

08:35

that information well if you don't have

08:37

an ID to join them together it's not

08:40

going to be possible

08:41

so I recommend adding a some sort of

08:45

request ID in here so you can trace it

08:47

through the entire application stack and

08:49

that should be logged in all the all the

08:51

logs so that you can quickly filter down

08:53

and see every

08:54

single every every single log that was

09:00

associated with that request so next

09:04

thing I want to talk about are some

09:05

considerations with which events to log

09:08

when we're talking about API we commonly

09:11

talked about crud create reads updates

09:14

deletes one of these is not like the

09:16

other reads reads are non state changing

09:20

API calls however they should be logged

09:23

but you're going to have a large number

09:27

of reads very very likely you're gonna

09:29

have a high number of reads so you may

09:31

need to consider the storage of the

09:34

reads differently than the stateful

09:37

configurations now don't know don't

09:39

think you don't have to log the reads

09:40

you should log the reads because you're

09:42

going to need say the data breach

09:44

happens and you want to identify what

09:47

content was accessed you want those

09:50

reads so what should you monitor for

09:54

this is just a when you're when you're

09:57

figuring out what's a log you need to

09:58

think about like what exactly are you

09:59

monitoring for and if you're in security

10:01

it's not only security use cases

10:03

there's also operational use cases you

10:05

need to ask so just think about this

10:07

write down exactly what you want to

10:09

monitor for and make sure that those

10:11

events make it into the logs a couple of

10:15

things extra things to ponder is how

10:17

you're storing your audit logs you know

10:19

are you storing these on disk and then

10:21

replicating them to you know some

10:24

offline or like s3 are you making sure

10:28

that these can only be like read once

10:32

right many like how are you storing

10:34

these audit logs how do you handle those

10:38

deletion request I mentioned earlier if

10:40

you have logged that information and in

10:44

a nice format it maybe is going to make

10:46

your life a lot easier to run a script

10:48

and delete that content that has to be

10:50

deleted with that that's that's all the

10:55

talk today Sam I'll hand it back to you