Table of Contents:
This article explains how to configure VPC flow logs and steps to configure Chronicle feed to ingest logs.
Configure VPC flow logs
- Open the Amazon VPC console and in the navigation pane, choose Your VPCs.
- Select the checkboxes for one or more VPCs.
3. Choose Actions --> Create flow log and Configure the flow log settings
4. Select Destination based on the requirement, either Cloud watch or S3 Bucket.
Create a S3 bucket
- Select Create new S3 bucket. You may also choose to use an existing S3 bucket.
- Provide a name for AWS KMS alias or choose an existing AWS KMS Key.
- Leave the other settings as default and click Next.
- Choose Event type, add Data events as required, and click Next.
- Review the settings in Review and create and click Create trail.
- In the AWS console, search for "Amazon S3 Buckets."
- Click the newly created log bucket and select the folder AWSLogs. Then click Copy S3 URI and save it for use in the following steps.
Configure Chronicle Feed to ingest logs
- Go to Chronicle settings and click Feeds.
- Click Add New.
- Select Amazon S3 for Source Type.
- Select AWS Cloudtrail (or other AWS service) for Log Type.
- Click Next.
- Select region and provide S3 URI of the Amazon S3 bucket you copied earlier. Further, you could append the S3 URI with:
{{datetime("yyyy/MM/dd")}}
As in the following example, so that Chronicle would scan logs each time only for a particular day:
s3://aws-cloudtrail-logs-XXX-1234567/AWSLogs/1234567890/CloudTrail/us-east-1/{{datetime("yyyy/MM/dd")}}/ - Under URI IS A, select Directories including subdirectories. Select an appropriate option under Source Deletion Option, this should match with the permissions of the IAM User account you created earlier.
- Provide Access Key ID and Secret Access Key of the IAM User account you created earlier.
- Click Next and Finish.
Below are the steps which involves feed addition to chronicle instance by NetEnrich
- S3 URI
- ACCESS KEY ID
- SECRET ACCESS KEY
Comments
0 comments
Please sign in to leave a comment.