Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Remediate Cyber-Threat via Serverless Framework AWS Lambda

11 April,19 at 11:51 AM

Centrify Analytics Service (CAS), a multi-tenant cloud service, applies Artificial Intelligence (AI) and big data analytics to offer intelligent, real-time access security. This use of AI and big data analytics can eliminate improper security policies, unnecessary permissions, and access anomalies, while at the same time detect these threats for monitoring. When a threat is identified, CAS annotates the risk event with a risk score and risk distribution, then creates an alert. The administrator can then get a notification from SMS and remediate the threat.  In this article, we will provide an example of how to use Centrify Analytics Webhook to trigger an AWS Lambda function. All the code examples can be found in this Github repository.

 

Centrify Analytics Service Webhook is a HTTP callback that is triggered by Centrify Analytics events. Should an alert event occur for example, Centrify Analytics Service allows users to send alerts into third-party applications via webhook. This capability enables users to respond quickly to a threat alert and contain the impact.

 

AWS Lambda is a compute service where you can upload your code to AWS Lambda. The service can run code on your behalf within the AWS infrastructure. As a serverless framework, AWS Lambda makes it easy to develop the automation and orchestration workflow to handle alerts from Centrify Analytics Service.

 

The AWS Lambda function example will send an SMS or email when a Centrify Analytics alert is triggered. By extending the AWS Lambda function example, you can archive more sophisticated remediation tasks, such as killing the session, banning the IP address, etc. The following diagram illustrates the architecture of the example. lambda

Create SNS Topic

 

Login to your AWS Console, and create a SNS topic “analytics-demo”.

 

SNS

 

Create an SMS subscription, choose SMS in protocol and input your mobile number:

 

SNS Topic Sub

 

Create the AWS Lambda function

 

Login to your AWS Console via your favorite browser, select “Lambda from “Services”.

 

  1. In “Functions”,  click the “Create function button.
  1. In “Create function” wizard, choose “Author from scratch”, input “name”, choose Python 3.6 in “Runtime”, choose “Create new role from template(s)” from “Role” drop-down, input “Role name”, choose “SNS publish policy” from “Policy templates” drop-down.
  2. Click “Create function”.
  3. In “Function code”, choose “Edit code inline in the “Code entry type” drop-down list.
  4. Copy and paste the following code, remember to replace sns_arn variable with your SNS ARN.
  5. Review the code, settings and click the “Save” button.
import json
import boto3
sns = boto3.client('sns')

def lambda_handler(event, context):
    print("Received event: " + json.dumps(event, indent=2))
    # Replace following with your SNS ARN
    sns_arn = 'arn:aws:sns:us-west-2:99999999:analytics-demo'
    sns_event = event
    sns_event["default"] = json.dumps(event)
    try:
       sns.publish(
            TargetArn=sns_arn,
            Message=json.dumps(sns_event),
            MessageStructure='json',
            Subject="Centrify Analytics Alert"
       )
    except Exception as e:
       print(e)
       raise e

 

This sample code uses boto3 to publish the webhook payload from Centrify Analytics to the SNS topic,  which has your mobile number subscribed.

 

Setup AWS API Gateway

 

To make the Lambda function accessible via a HTTP POST, you need to create an AWS API Gateway and associate the Lambda function with an API endpoint.

 

Login to your AWS Console via your favorite browser, select “API Gateway” from “Services”.

 

  1. Click “Create API” button  --> input “Analytics Demo API” as “API name”.
  2. Click the “Create API” button.
  3. Choose “Create Resource” in “Actions” drop-down  -->  input “analyticsdemo” as “Resource Name” and “analyticsdemo” as the “Resource Path”.
  4. Click “Create Resource” button.
  5. Select the newly created “analyticsdemo” node in “Resources” tree --> choose “Create Method” in “Actions” drop-down --> choose “POST” method for “analyticsdemo” resource.
  6. In the POST method configuration panel  -->  choose “Lambda Function” as the “Integration type”  --> choose the proper “Lambda Region”  -->  input your lambda ARN in “Lambda Function”.
  7. Click the “Save” button.

If all went well, you should end up with an execution workflow diagram like this:

 

api gateway post

 

Setup API Stage

 

The stage represents the label of API lifecycle stages, e.g., development, test, production, etc. In the API console, choose your API and the root resource of the API –> select “Deploy API” in the “Actions” drop-down:

 

api stage

 

In this example, I use “demo” as the stage name.

 

Setup Usage Plan

 

“Usage Plans” allow you to put controls and constraints into your API, e.g. “Rate”, “Burst”, “Quota”, etc.

 

If you have set up an API usage plan before, then you only need to add the newly created API to the usage plan. Otherwise, you need to follow the steps below. Also if you have never used “Usage Plans” and don't see the option in the API console, you need to enable it in your account.

 

In the API console, choose “Usage Plans” and click the “Create” button. Follow the wizard and make sure to associate your API and stage with the usage plan in the wizard.

 

api usage plan

 

Setup API Key

 

In the API console, choose “API Keys”, then choose “Create API key” in “Actions”. When the API key is created, you can click the newly create API key and click the “Add to Usage Plan” button to link your API key to the usage plan.

 

api key

 

Click “Show” link, copy and save your API key. This API key will be used in the webhooks configuration in Centrify Analytics Portal.

 

Deploy

 

In the API console, choose your API and the root resource of the API, then select “Deploy API” in the “Actions” drop-down.  You should use the “demo” stage to deploy the API. After deploy, your API is now ready to use, and you can find "invoke URL" from the stage editor:

 

deploy stage

 

Setup Centrify Analytics Webhook

 

Log in Centrify Analytics portal and navigate to Settings -> Webhooks. Click “New” button:

 

analytics webhook

 

The webhook can also be imported from “Anomaly Detection Notification.json“ located in this Github repository.

 

 

End to end Testing

 

Now, whenever there is a SecurityAlert event generated in your Centrify Analytics Service, you should get the SMS notification on your mobile devices:

 

SMS

 

The code for this sample is available in this Github repository.  

Related Articles

 articleCentrify 18.3 Release Notes articleCentrify 18.4 Release Notes articleA Playbook to secure your Amazon AWS Infrastructure using Centrify and Active Directory - Part 3 articleCentrify 18.5 Release Notes articleAWS TechCenter article[Howto] Spotting and Remediating issues with PKI Trust on MFA (UNIX/Linux/Windows) or Enrollment article[Labs] Using Centrify Audit Trail for UNIX/Linux with AWS CloudWatch articleEstablishing Identity Assurance in AWS (Web Console, EC2 and PowerShell) using Centrify article[Labs] Using Centrify Audit Trail for Windows with AWS CloudWatch