Quick Start Security for AWS ALB
Thank you!
We got your information.
Coralogix Extension For AWS ALB Includes:
Dashboards - 3
Gain instantaneous visualization of all your AWS ALB data.
Alerts - 7
Stay on top of AWS ALB key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Possible Processing Time Anomaly
This alert triggers if the target processing time has a value of -1. This value is set to -1 if the load balancer can't dispatch the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. This value can also be set to -1 if the registered target does not respond before the idle timeout. Target processing time denotes the total time elapsed (in seconds, with millisecond precision) from the time the load balancer sent the request to a target until the target started to send the response headers. Impact High backend processing times can sometimes indicate a server that is under stress, which could be the result of a DoS attack or an application that is responding to a resource exhaustion attack Mitigation Check if the spike in the field value is due to some configuration issue or is the result of a possible DoS attack. If there is a possible attack, block the client IPs on waf. MITRE Tactic: TA0040 MITRE Technique: T1498
Multiple Failed Authentication
This alert triggers if there are more than 15 failed authentication attempts from an IP address in a time interval of 5 minutes. The load balancer can be used for user authentication. Impact A high number of failed authentication attempts can indicate an attempted brute-force attack. Mitigation To investigate the cause of failed authentication, check the log field 'error_reason'. Please see the below link for more details on different error reasons: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html MITRE Tactic: TA0006 MITRE Technique: T1110
High Number of 4xx Response Code by Target Behind ALB
This alert triggers if the 4xx values for the target status code are more than 5000 than its usual value in a time interval of 5 minutes. The target status code is the status code of the response from the target. This value is recorded only if a connection was established to the target and the target sent a response. Otherwise, it is set to -. Impact A high number of 4xx error codes can indicate that the requests sent are malformed or incomplete. Mitigation Check if the high number of 4xx error codes is generated due to some configuration issue or if there are any possible DoS attempts. MITRE Tactic: TA0040 MITRE Technique: T1499
High Number of 5xx Response Code by ALB
This alert triggers if the 5xx values for the ALB status code are more than 1000 than its usual value in a time interval of 5 minutes. ELB status code is the status code of the response from the load balancer. Impact When the rate of 5xx response codes increases, the problem is most likely due to a bug in your server-side code. The increase can often be tied to a specific code release. It can also indicate potentially successful attacks that cause server errors Mitigation Check if there was any recent code release cycle and check for any correlation between the error codes spike and the release cycle. Also, check if there was any potential attack on the server. MITRE Tactic: TA0040 MITRE Technique: T1499
High Number of 4xx Response Code by ALB
This alert triggers if the 4xx values for the ELB status code are more than 5000 than its usual value in a time interval of 5 minutes. ELB status code is the status code of the response from the load balancer. Impact A high number of 4xx error codes can indicate that the requests sent are malformed or incomplete. Mitigation Check if the high number of 4xx error codes is generated due to some configuration issue or if there are any possible DoS attempts. MITRE Tactic: TA0040 MITRE Technique: T1498
No ALB Logs in last 6 hours
This alert triggers when there are no ALB logs in the platform in the last 6 hours. Impact An adversary may disable logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Mitigation Investigate the root cause of this behavior and re-enable the logging, if it is disabled. Additionally, administrators can manage policies to ensure only necessary users have permission to make changes to logging policies. MITRE Tactic: TA0005 MITRE Technique: T1562
High Number of 5xx Response Code by Target Behind ALB
This alert triggers if the 5xx values for the target status code are more than 1000 than its usual value in a time interval of 5 minutes. The target status code is the status code of the response from the target. This value is recorded only if a connection was established to the target and the target sent a response. Otherwise, it is set to -. Impact When the rate of 5xx response codes increases, the problem is most likely due to a bug in your server-side code. The increase can often be tied to a specific code release. It can also indicate potentially successful attacks that cause server errors Mitigation Check if there was any recent code release cycle and check for any correlation between the error codes spike and the release cycle. Also, check if there was any potential attack on the server. MITRE Tactic: TA0040 MITRE Technique: T1498
Integration
Learn more about Coralogix's out-of-the-box integration with AWS ALB in our documentation.