Views:

A list of demo models to trigger Workbench alerts for your cloud account.

The following are a list of demonstration models used to test your XDR for Cloud - AWS CloudTrail integration. Running the listed models creates an alert in the Workbench app. Trend Micro recommends using an IAM user in AWS to run the demo models so you can also test the Revoke Access Permission response task.

Demo Model - AWS Bedrock successful guardrail deletion detected

Use these steps to trigger the detection model and create a Workbench alert.

Procedure

  1. Open AWS CloudShell.
  2. Create a guardrail for the demo.
    Use the following command, making sure to provide the required attributes.
    aws bedrock create-guardrail --name <guardrail name> --blocked-input-messaging "test" --blocked-outputs-messaging "test" --word-policy-config wordsConfig=[{text=string1},{text=string2}]
  3. Verify the guardrail creation and copy the guardrail ID.
    Use the command aws bedrock list-guardrails.
  4. To trigger the demo model, delete the guardrail you created.
    Use the following command to delete the guardrail you created.
    aws bedrock delete-guardrail --guardrail-identifier <guardrail id>
  5. In the Trend Vision One console, go to XDR Threat InvestigationWorkbench to view the generated alert.

Demo Model- AWS Bedrock model invocation logs successful deletion detected

Use these steps to trigger the detection model and create a Workbench alert.

Procedure

  1. In your AWS console, go to Resource Groups & Tag EditorBedrock configurationSettings.
  2. Enable Model invocation logging.
  3. Select the log location.
  4. Click Save settings.
  5. To trigger the demo model, disable Model invocation logging.
  6. In the Trend Vision One console, go to XDR Threat InvestigationWorkbench to view the generated alert.
Use these steps to trigger the detection model and create a Workbench alert.
Important
Important
You must have IAM access permissions in AWS to trigger this model.

Procedure

  1. In your AWS console, access the IAM dashboard.
  2. Go to Access managementUsers.
  3. Select a user for the test, or create a test user.
  4. In the user settings, go to Security credentials and click Assign MFA device.
  5. Follow the on-screen steps to add an MFA device to the user.
  6. To trigger the model, access the AWS CloudShell.
  7. Get the user name and the serial ID of the MFA device you set up.
    Use the following command to list all MFA devices. Copy the user name and the serial ID of the test device.
    aws iam list-virtual-mfa-devices
  8. Delete the MFA device.
    Use the following command to delete the test MFA device.
    aws iam delete-virtual-mfa-device --user-name ”<user name>” --serial-number “<serial number>”
  9. In the Trend Vision One console, go to XDR Threat InvestigationWorkbench to view the generated alert.

Demo Model - AWS EC2 EBS snapshot shared publicly or to external account

Use these steps to trigger the detection model and create a Workbench alert.

Procedure

  1. In your AWS console, access the EC2 console and go to Elastic Block StoreSnapshots.
  2. Click Create snapshot.
  3. To trigger the model, click the snapshot you created and go to Snapshot settings.
  4. Click Modify permissions.
  5. Under Sharing options, select Public.
  6. Click Modify permissions.
  7. In the Trend Vision One console, go to XDR Threat InvestigationWorkbench to view the generated alert.

Demo Model - AWS IAM administrator access policy attached to a role

Use these steps to trigger the detection model and create a Workbench alert.

Procedure

  1. In your AWS console, access the IAM dashboard.
  2. Select an existing role, or create a new IAM role to test the model.
  3. Attach an admin policy to the role.
  4. To trigger the model, access the AWS CloudShell.
  5. Run the following command.
    aws iam attach-role-policy --role-name <name of role you just created> --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
  6. In the Trend Vision One console, go to XDR Threat InvestigationWorkbench to view the generated alert.