Kicking off this project with a basic DSL in ruby which allows me to create a few rules. I then evaluate these rules and create basic output that confirms I'm on the right path.
Express simple rules which can be elvaluated in a ruby DSL manner.
Output should contain the name of the rule that matched based on the rule and the threat level assigned o this rule
Event data to see what's going on with the given rule.
I'm leaving out the obvious testing kit things. The performed action isn't very smart yet.
There are currently two rules at play here.
Delete commands from the UI
A high-level security alert is anyone deleting a thing from the UI by hand. This would indicate a user doing something manually outside of a scripted action.
The userAgent field will contain a specific string indicating that this action was done via the UI console.
This would be an example of a rule that might not be needed in the lower accounts like dev or maybe even stage, but would be very relevant in production.
New KeyPair was created by hand
This is another 'quick and dirty' rule that would indicate someone created a new keypair by hand via the UI.
Report output
Next up
Make the performed logic smarter. Probably going to do more work around the specifics of a user actions versus an admin action.
Introducing more random data into the processing to see what comes up.
Introduce cloudformation actions that could be interesting