Skip to content

Integration with Amazon Web Services

In order to create integration with your organization's AWS infrastructure, multiple services are supported: CloudTrail (including IAM logs), GuardDuty and CloudWatch (including VPC flow logs)

Pulling CloudTrail logs and GuardDuty findings

Pulling logs from CloudTrail is simple. In AWS:

  1. Login to the AWS console
  2. Go to CloudTrail or GuardDuty and enable them, if they aren't enabled.
  3. Go to the IAM console
  4. Select "Users" form the menu on the right
  5. Click "Add user"
  6. Choose a username (e.g. logsentinel-monitoring) and check "Programmatic access"
  7. Click Next
  8. Choose "Attach existing policies directly"
  9. Search for "AWSCloudTrailReadOnlyAccess" and "AmazonGuardDutyReadOnlyAccess" and check them
  10. Click "Next" and finally "Create user"
  11. Copy the Access key ID and Secret access key to a temporary location

In LogSentinel SIEM:

  1. Go to Data sources -> Integrations
  2. Create a new AWS integration.
  3. Specify API key and secret you obtaind in step 11 above.
  4. Specfy the target service (CloudTrail ot GuardDuty) and the region and click "Create".
  5. To enable both CloudTrail and GuardDuty, repeat steps 1-4.

Streaming CloudWatch logs to LogSentinel SIEM

In odrer to push logs from AWS CloudWatch to LogSentinel SIEM in a scalable way, you need to use AWS CloudWatch subscriptions with AWS Lambda.

  1. Go to AWS Lambda in the AWS Console.
  2. Create an AWS Lambda function with the following code:
    /**
     * LogSentinel SIEM logging for AWS Lambda
     *
     * This function sends CloudWatch logs to LogSentinel SIEM via the RESTful API.
     *
     * Define the following environment variables:
     *
     * 1. LOGSENTINEL_HOST: Hostname of LogSentinel API. For LogSentinel SIEM SaaS that's api.logsentinel.com
     * For on-premise deployments your your publicly exposed SIEM address. The function always assumes HTTPS
     *
     * 2. DATASOURCE_ID: The ID of the data source (application) to which you want to send the logs.
     *
     * 3. ORGANIZATION_ID: The organizationId obtained from API -> API Credentials in the SIEM dashboard
     *
     * 4. SECRET: The API secret obtained from API -> API Credentials in the SIEM dashboard
     *
     *
     */
    const logsentinelConfig = {
        host: process.env.LOGSENTINEL_HOST,
        datasourceId: process.env.DATASOURCE_ID,
        apiKey: process.env.ORGANIZATION_ID,
        apiSecret: process.env.SECRET
    };
    const https = require('https');
    const auth = 'Basic ' + Buffer.from(logsentinelConfig.apiKey + ':' + logsentinelConfig.apiSecret).toString('base64');
    var options = {
        hostname: logsentinelConfig.host,
        port: 443,
        path: '/api/log/batch',
        method: 'POST',
        headers: {'Application-Id': logsentinelConfig.datasourceId, 'Authorization': auth, 'Content-Type': 'application/json'}
    };
    
    var zlib = require('zlib');
    exports.handler = async function(input, context) {
    
        var payload = Buffer.from(input.awslogs.data, 'base64');
        zlib.gunzip(payload, function(e, result) {
            if (e) { 
                context.fail(e);
            } else {
                var logs = JSON.parse(result.toString('utf-8'));
                var batch = [];
                logs.logEvents.forEach(function (log, idx, arr) {
                    // Remove trailing \n
                    var message = log.message.replace(/\n$/, '');
                    var entry = {
                         actionData: {
                             details: message,
                             originalEventTimestamp: log.timestamp
                         }
                    }
                    batch.push(entry);
                });
    
                var req = https.request(options, function(res) {
                    res.on('data', d => {});
                });
                var requestBody = JSON.stringify(batch, null, 2);
    
                req.write(requestBody);
                req.on("error", function(e) {
                    console.log("Failed to send request: " + e.message);
                });
    
                req.end();
    
                context.succeed();
            }
        });
    };
    
  3. Go to AWS Lambda -> Configuration -> Environment variables and set the 4 variables
  4. Go back to the "Code" tab and deploy the function
  5. Go to CloudWatch
  6. Click on Log Groups in the menu
  7. Select the log group you want to send to LogSentinel SIEM
  8. From the "Actions" menu, select Subscription filters -> Create Lambda Subscription Filter
  9. Select the Lambda function that you created above
  10. Set all of the other properties, including a name
  11. Start streaming