Integration with Amazon Web Services¶
In order to create integration with your organization's AWS infrastructure, multiple services are supported: CloudTrail (including IAM logs), GuardDuty and CloudWatch (including VPC flow logs)
Pulling CloudTrail logs and GuardDuty findings¶
Pulling logs from CloudTrail is simple. In AWS:
- Login to the AWS console
- Go to CloudTrail or GuardDuty and enable them, if they aren't enabled.
- Go to the IAM console
- Select "Users" form the menu on the right
- Click "Add user"
- Choose a username (e.g. logsentinel-monitoring) and check "Programmatic access"
- Click Next
- Choose "Attach existing policies directly"
- Search for "AWSCloudTrailReadOnlyAccess" and "AmazonGuardDutyReadOnlyAccess" and check them
- Click "Next" and finally "Create user"
- Copy the Access key ID and Secret access key to a temporary location
In LogSentinel SIEM:
- Go to Data sources -> Integrations
- Create a new AWS integration.
- Specify API key and secret you obtaind in step 11 above.
- Specfy the target service (CloudTrail ot GuardDuty) and the region and click "Create".
- To enable both CloudTrail and GuardDuty, repeat steps 1-4.
Streaming CloudWatch logs to LogSentinel SIEM¶
In odrer to push logs from AWS CloudWatch to LogSentinel SIEM in a scalable way, you need to use AWS CloudWatch subscriptions with AWS Lambda.
- Go to AWS Lambda in the AWS Console.
- Create an AWS Lambda function with the following code:
/** * LogSentinel SIEM logging for AWS Lambda * * This function sends CloudWatch logs to LogSentinel SIEM via the RESTful API. * * Define the following environment variables: * * 1. LOGSENTINEL_HOST: Hostname of LogSentinel API. For LogSentinel SIEM SaaS that's api.logsentinel.com * For on-premise deployments your your publicly exposed SIEM address. The function always assumes HTTPS * * 2. DATASOURCE_ID: The ID of the data source (application) to which you want to send the logs. * * 3. ORGANIZATION_ID: The organizationId obtained from API -> API Credentials in the SIEM dashboard * * 4. SECRET: The API secret obtained from API -> API Credentials in the SIEM dashboard * * */ const logsentinelConfig = { host: process.env.LOGSENTINEL_HOST, datasourceId: process.env.DATASOURCE_ID, apiKey: process.env.ORGANIZATION_ID, apiSecret: process.env.SECRET }; const https = require('https'); const auth = 'Basic ' + Buffer.from(logsentinelConfig.apiKey + ':' + logsentinelConfig.apiSecret).toString('base64'); var options = { hostname: logsentinelConfig.host, port: 443, path: '/api/log/batch', method: 'POST', headers: {'Application-Id': logsentinelConfig.datasourceId, 'Authorization': auth, 'Content-Type': 'application/json'} }; var zlib = require('zlib'); exports.handler = async function(input, context) { var payload = Buffer.from(input.awslogs.data, 'base64'); zlib.gunzip(payload, function(e, result) { if (e) { context.fail(e); } else { var logs = JSON.parse(result.toString('utf-8')); var batch = []; logs.logEvents.forEach(function (log, idx, arr) { // Remove trailing \n var message = log.message.replace(/\n$/, ''); var entry = { actionData: { details: message, originalEventTimestamp: log.timestamp } } batch.push(entry); }); var req = https.request(options, function(res) { res.on('data', d => {}); }); var requestBody = JSON.stringify(batch, null, 2); req.write(requestBody); req.on("error", function(e) { console.log("Failed to send request: " + e.message); }); req.end(); context.succeed(); } }); };
- Go to AWS Lambda -> Configuration -> Environment variables and set the 4 variables
- Go back to the "Code" tab and deploy the function
- Go to CloudWatch
- Click on Log Groups in the menu
- Select the log group you want to send to LogSentinel SIEM
- From the "Actions" menu, select Subscription filters -> Create Lambda Subscription Filter
- Select the Lambda function that you created above
- Set all of the other properties, including a name
- Start streaming