This document covers how to get to pull the logs from your S3 bucket and consume them. There are two main stages, one is to configure your AWS S3 Security Credentials to allow Chronicle access to the logs, and the second is to configure Chronicle itself to point at your bucket.
Note: This document assumes that your Amazon AWS S3 bucket has been configured in Umbrella (Settings > Log Management) and is showing green with recent logs having been uploaded.
Configuring your Security Credentials in AWS
Add an access key to your Amazon Web Services account to allow for remote access to your local tool and give the ability to upload, download and modify files in S3.
- Log in to AWS and click your account name in the upper-right hand corner.
- In the drop-down, select Security Credentials.
You will be prompted to follow Amazon Best Practices and create an AWS Identity and Access Management (IAM) user.
3. Click Get Started with IAM Users.
You will be taken to a screen where you can create an IAM User:
4. Click Create New Users
A new user form appears
- Complete the fields given in the new user form.
Note that the user account should not contain spaces.
2. After creating the user account, Amazon User Security Credentials will be generated. Ensure that you make a note of both your Access Key ID and Secret Access Key as you need them in the later step.
- Next, you'll want to add a policy for your IAM user, so they have access to your S3 bucket. Click the user you've just created and then scroll down through the users' properties until you see the Attach Policy button.
2. Click Attach Policy, then enter 's3' in the policy type filter. This should show two results "AmazonS3FullAccess" and "AmazonS3ReadOnlyAccess".
3. Select "AmazonS3FullAccess" and then click Attach Policy in the lower right-hand corner.
Configuring feeds in Google Chronicle
- Login to Chronicle backstory.
- Go to Menu on right top corner and select Settings.
3. In Settings, go to Feeds and click ADD NEW.
4. In SOURCE TYPE field, select Amazon S3 and in LOG TYPE field, select Cisco Umbrella IP. Then, proceed Next.
5. In Input Parameters, provide details as below.
- REGION: Auto Detect
- S3 URI: Will be provided in S3 bucket
- URI IS A: select as ‘Directory which includes subdirectories’ from dropdown
- SOURCE DELETION: Select ‘Never delete files’ from dropdown
- ACCESS KEY ID: Provide access key id generated from AWS S3
- SECRET ACCESS KEY: Provide secret access key generated from AWS S3
6. Click NEXT. You will be provided with the preview of the configurations in Finalize tab.
7. Click Submit. Log source will be visible in Feeds.