This document details the steps to configure AWS Cloudtrail logs for ingestion into Chronicle. These steps are also applicable for ingesting logs from other AWS services e.g. AWS GuardDuty, AWS VPC Flow, AWS CloudWatch, AWS Security Hub, and others into Chronicle.
Configure AWS Cloudtrail (or other service)
Complete the following steps to configure AWS Cloudtrail logs and direct these logs to be written to the AWS S3 bucket created in the previous procedure:
- In the AWS console, search for Cloudtrail.
- Click Create trail.
3. Provide a Trail name.
4. Select Create new S3 bucket. You may also choose to use an existing S3 bucket.
5. Provide a name for AWS KMS alias, or choose an existing AWS KMS Key.
6. You can leave the other settings as default, and click Next.
7. Choose** Event type**, add Data events as required, and click Next.
8. Review the settings in Review and create and click Create trail.
9. In the AWS console, search for Amazon S3 Buckets.
10. Click the newly created log bucket, and select the folder AWSLogs. Then click Copy S3 URI and save it for use in the following steps.
Configure AWS IAM User
In this step, we will configure an AWS IAM user which Chronicle will use to get log feeds from AWS.
- In the AWS console, search for IAM.
2. Click Users, and then in the following screen, click Add Users.
3. Provide a name for the user, e.g. chronicle-feed-user, Select AWS credential type as Access key - Programmatic access and click Next: Permissions.
4. In the next step, select Attach existing policies directly and select AmazonS3ReadOnlyAccess or AmazonS3FullAccess, as required. AmazonS3FullAccess would be used if Chronicle should clear the S3 buckets after reading logs, to optimize AWS S3 storage costs. Click Next:Tags.
5. As a recommended alternative to the previous step, you can further restrict access to only the specified S3 bucket by creating a custom policy. Click Create policy and follow the AWS documentation to create a custom policy.
6. Add any tags if required, and click Next:Review.
7. Review the configuration and click Create user.
8. Copy the Access key ID and Secret access key of the created user, for use in the next step.
Configure Feed in Chronicle to Ingest AWS Logs
- Go to Chronicle settings, and click Feeds.
- Click Add New.
- Select Amazon S3 for Source Type.
- Select AWS Cloudtrail (or other AWS service) for Log Type.
5. Click Next.
6. Select region and provide S3 URI of the Amazon S3 bucket you copied earlier. Further you could append the S3 URI with:
{{datetime("yyyy/MM/dd")}}
As in the following example, so that Chronicle would scan logs each time only for a particular day:
s3://aws-cloudtrail-logs-XXX-1234567/AWSLogs/1234567890/CloudTrail/us-east-1/{{datetime("yyyy/MM/dd")}}/
7. Under URI IS A select Directories including subdirectories. Select an appropriate option under Source Deletion Option, this should match with the permissions of the IAM User account we created earlier.
8. Provide Access Key ID and Secret Access Key of the IAM User account we created earlier.
9. Below are the steps which involves feed addition to chronicle instance by NetEnrich
- S3 URI
- ACCESS KEY ID
- SECRET ACCESS KEY
10. Click Next and Finish.
Sample Logs
The following are the CloudTrail logs that sent to Chronicle.
{"Records":[{"awsRegion":"ap-southeast-1","eventCategory":"Management",
"eventID":"4ac6fd03-1660-443c-a2fc-f3578df3bfbd","eventName":"AssumeRole",
"eventSource":"sts.amazonaws.com","eventTime":"2023-07-13T13:26:09Z",
"eventType":"AwsApiCall","eventVersion":"1.08","managementEvent":true,
"readOnly":true,"recipientAccountId":"xxxxxxxxxxxx",
"requestID":"100602f1-3102-4862-a6aa-4c1eecf5e69b",
"requestParameters":{"roleArn":"arn:aws:iam::xxxxxxxxxxxx:role/role_for_sysa-api-pmd-rtde","
roleSessionName":"awslambda_879_20230713132609350"},
"resources":[{"ARN":"arn:aws:iam::xxxxxxxxxxxx:role/role_for_sysa-api-pmd-rtde",
"accountId":"xxxxxxxxxxxx","type":"AWS::IAM::Role"}],
"responseElements":{"credentials":{"accessKeyId":"assUSAVZUCXJVEPBH4PNDA",
"expiration":"Jul 14, 2023, 1:36:09 AM",
"sessionToken":"IQoJb3JpZ2luX2VjEHYaDmFwLZNvdXRoZWFzdC0xIkcwRQIgNqH1Q6IehDTck4HcqdTpS6/
3XTYiAVRknDlHCplVty0CIQCXbk406TmtnCOCE6mtIXpIAxYkZTJ4wjd1pl7AAjQFMiqtAgjv//////////
8BEAMaDDM5ODYeMjN3MzU3NiIMLzmfonwXsAZRNGWoKoECByhj9KppcyrGAWmmpntOcw5L1HAHSsrwfHXMq9+
JvGN5YZN+DK15yARJ5KU9Cl+HDNE1knjJ89ID9oioMDUU30blQoM6dxhwxZw561HAtZFoYiKdObxJWd/VT+
NCXQ4lm7rg3fEz0cspXJGRIK3+Ro4h3ybzHAH3JFOSH6XpxWhETOV+rik85+dN6EPybvWdt1Vr/
lp6aRc9kUQ3geOaT0z3GetRPNkoO9V/vY20noud7sIHoGp3q+bbw5b2WU+sCRGVW5T7hU8oyI0V/yF+QT/
DhPc5Gct9cyM8stw6ZI7dTEWKGYI76eiMvyfTYV14IftYHlyeLRb3wEoj1IT5M9Mw8ca/
pQY6maFVzxwY9T8PlXGm1bgRuFBrSzgDhU1N63UGpeY6mUlFnlGrvI9F19yXRYKabVatqNTfw+
nRH8HngsQ9gEz28JFwCpqZVrQRbyKLaZxwMjUIRgXwc/tMH25hAhXG3pTaxFjxOwfKxtT5rSr30Y5uxMoU2B48Pq7b/
A0JAe0DS5NwRUSHSi2Vcyn03qWnRk1V42A9fWs/zlyWaq36"}},
"sharedEventID":"1a5fc009-5e62-4amc-8358-c326171df79b",
"sourceIPAddress":"lambda.amazonaws.com","userAgent":"lambda.amazonaws.com",
"userIdentity":{"invokedBy":"lambda.amazonaws.com","type":"AWSService"}}]}
Comments
0 comments
Please sign in to leave a comment.