Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring an Amazon AWS CloudTrail Log Source by using the Amazon Web Services Protocol

 

If you want to collect AWS CloudTrail logs from CloudWatch logs, configure a log source on the JSA Console so that Amazon AWS CloudTrail can communicate with JSA by using the Amazon Web Services protocol.

  1. Install the most recent version of the following RPMs on your JSA Console.

    • Protocol Common

    • Amazon AWS REST API Protocol RPM

    • Amazon Web Services Protocol RPM

    • DSMCommon RPM

    • Amazon AWS CloudTrail DSM RPM

  2. Create an Amazon AWS Identity and Access Management (IAM) user and then apply the CloudWatchLogsReadOnlyAccess policy.

  3. Create and configure the log group of the Amazon CloudWatch Logs to retrieve CloudTrail Logs in JSA.

  4. Configure Amazon AWS CloudTrail to send log files to CloudWatch Logs.

  5. Configure security credentials for your AWS user account.

  6. Add an Amazon AWS CloudTrail log source on the JSA Console.

    The following table describes the parameters that require specific values to collect audit events from Amazon AWS CloudTrail by using the Amazon Web Services protocol:

    Table 1: Amazon Web Services Log Source Parameters

    Parameter

    Description

    Log Source Type

    Type Amazon AWS CloudTrail for the Log Source Type

    Protocol Configuration

    Select Amazon Web Services from the Protocol Configuration list.

    Authentication Method

    • Access Key ID / Secret Key - Standard authentication that can be used from anywhere.

    • EC2 Instance IAM Role - If your JSA managed host is running in an AWS EC2 instance, choosing this option uses the IAM role from the metadata that is assigned to the instance for authentication; no keys are required. This method works only for managed hosts that are running within an AWS EC2 container.

    Access Key

    The Access Key ID that was generated when you configured the security credentials for your AWS user account.

    If you selected Access Key ID / Secret Key, the Access Key parameter displays.

    Secret Key

    The Secret Key that was generated when you configured the security credentials for your AWS user account.

    If you selected Access Key ID / Secret Key, the Access Key parameter displays.

    Regions

    Select the check box for each region that is associated with the Amazon Web Service that you want to collect logs from.

    Other Regions

    Type the names of any additional regions that are associated with the Amazon Web Service that you want to collect logs from. To collect from multiple regions use a comma-separated list, as shown in the following example: region1,region2

    AWS Service

    The name of the Amazon Web Service. From the AWS Service list, select CloudWatch Logs.

    Log Group

    The name of the log group in Amazon CloudWatch where you want to collect logs from.

    Note: A single log source collects CloudWatch logs from 1 log group at a time. If you want to collect logs from multiple log groups, create a separate log source for each log group.

    Log Stream (Optional)

    The name of the log stream within a log group. If you want to collect logs from all log streams within a log group, leave this field blank.

    Filter Pattern (Optional)

    Type a pattern for filtering the collected events. This pattern is not a regex filter. Only the events that contain the exact value that you specified are collected from CloudWatch Logs. If you type ACCEPT as the Filter Pattern value, only the events that contain the word ACCEPT are collected, as shown in the following example. {LogStreamName: LogStreamTest,Timestamp: 0, Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

    Extract Original Event

    To forward only the original event that was added to the CloudWatch logs to JSA, select this option.

    CloudWatch logs wrap the events that they receive with extra metadata.

    The original event is the value for the message key that is extracted from the CloudWatch log. The following CloudWatch logs event example shows the original event that is extracted from the CloudWatch log in bold text:

    {LogStreamName: 123456786_CloudTrail_us-east-2,Timestamp: 1505744407363,Message: {"eventVersion":"1.05","userIdentity": {"type":"IAMUser","principalId":"AAAABBBCCCDDDBBBCCC","arn": "arn:aws:iam::1234567890:user/QRadar-ITeam", "accountId":"1234567890","accessKeyId" :"AAAABBBBCCCCDDDD","userName":"User-Name", "sessionContext":{"attributes":{"mfaAuthenticated": "false","creationDate":"2017-09-18T13:22:10Z"}}, "invokedBy":"signin.amazonaws.com"},"eventTime": "2017-09-18T14:10:15Z","eventSource": "cloudtrail.amazonaws.com","eventName": "DescribeTrails","awsRegion":"us-east-1", "sourceIPAddress":"127.0.0.1","userAgent": "signin.amazonaws.com","requestParameters": {"includeShadowTrails":false,"trailNameList": []},"responseElements":null,"requestID": "11b1a00-7a7a-11a1-1a11-44a4aaa1a","eventID": "a4914e00-1111-491d-bbbb-a0dd3845b302","eventType": "AwsApiCall","recipientAccountId":"1234567890"}, IngestionTime: 1505744407506, EventId: 335792223611111122479126672222222513333}

    Use As A Gateway Log Source

    If you do not want to define a custom log source identifier for events, ensure that this check box is clear.

    Log Source Identifier Pattern

    If you selected Use As A Gateway Log Source, use this option to define a custom Log Source Identifier for events that are being processed.

    Use key-value pairs to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

    Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier displays.

    The following examples show multiple key-value pair functions.

    • Patterns -

      VPC=\sREJECT\sFAILURE

      $1=\s(REJECT)\sOK

      VPC-$1-$2=\s(ACCEPT)\s(OK)

    • Events - {LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}

    • Resulting custom log source identifier

      VPC-ACCEPT-OK

    Use Proxy

    If JSA accesses the Amazon Web Service by using a proxy, select this option.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

    Automatically Acquire Server Certificate(s)

    Select Yes for JSA to automatically download the server certificate and begins trusting the target server. You can use this option to initialize a newly created log source, obtain new certificates, or replace expired certificates.

    EPS Throttle

    The upper limit for the maximum number of events per second (EPS). The default is 5000.

    If the Use As A Gateway Log Source option is selected, this value is optional.

    If the EPS Throttle parameter value is left blank, no EPS limit is imposed by JSA.

  7. To verify that JSA is configured correctly, review the following table to see an example of a parsed event message.

    The actual CloudTrail logs are wrapped in a CloudWatch logs JSON payload:

Table 2: Amazon CloudTrail Log Sample Message Supported by Amazon AWS CloudTrail DSM.

Event name

Low-level category

Sample log message

Console Login

General Audit Event

{LogStreamName: 1234567890_CloudTrail_us
-east-2,Timestamp: 1505744407363,Message:
{"eventVersion":"1.05","userIdentity":{"type"
:"IAMUser","principalId":"AIDAIEGANDWTHAAUMATYA",
"arn":"arn:aws:iam::1234567890:user/QRadar-ITeam",
"accountId":"1234567890","accessKeyId":
"AAAABBBBCCCCDDDD","userName":"QRadar-ITeam",
"sessionContext":{"attributes":{"mfaAuthenticated":
"false","creationDate":"2017-09-18T13:22:10Z"}},
"invokedBy":"signin.amazonaws.com"},"eventTime":
"2017-09-18T14:10:15Z","eventSource":
"cloudtrail.amazonaws.com","eventName":
"DescribeTrails","awsRegion":"us-east-1",
"sourceIPAddress":"127.0.0.1","userAgent":
"signin.amazonaws.com","requestParameters":
{"includeShadowTrails":false,"trailNameList":
[]},"responseElements":null,"requestID":
"17b7a04c-99cca-11a1-9d83-43d5bce2d2fc",
"eventID":"a4444e00-55e5-4444-bbbb-a0dd3845b302",
"eventType":"AwsApiCall","recipientAccountId":
"1234567890"},IngestionTime: 1505744407506,
EventId: 33579222362711111111111111222222222222}

Creating an Identity and Access (IAM) User in the Amazon AWS User Interface when using the Amazon Web Services Protocol

An Amazon administrator must create a user and then apply the CloudWatchLogsReadOnlyAccess policy in the Amazon AWS user interface. The JSA user can then create a log source in JSA.

Create a user:

  1. Log in to the Amazon AWS user interface as an administrator
  2. Create an Amazon AWS IAM user and then apply the CloudWatchLogsReadOnlyAccess policy

Creating a Log Group of the Amazon CloudWatch Logs to Retrieve Amazon CloudTrail Logs in JSA

You must create a log group in Amazon CloudWatch logs to make the CloudTrail log available for JSA polling.

  1. Log in to CloudWatch console at this link: https://console.aws.amazon.com/cloudwatch.
  2. Select Logs from left navigation pane.
  3. Click Add Filter.
  4. Click Actions > Create Log Group
  5. Type the name of your Log Group. For example, CloudTrailAuditLogs.
  6. Click Create log group.

Configure Amazon AWS CloudTrail to send Log Files to CloudWatch Logs

You must configure CloudTrail to deliver the logs in a log group of the AWS CloudWatch logs.

Follow the procedures in AWS online documentation:

Send Cloud Trail Events to Cloud Watch Logs (https://docs.aws.amazon.com/awscloudtrail/latest/ userguide/send-cloudtrail-events-to-cloudwatch-logs.html).

Configuring Security Credentials for your AWS User Account

You must have your AWS user account access key and the secret access key values before you can configure a log source in JSA.

  1. Log in to your IAM console (https://console.aws.amazon.com/iam/).
  2. Select Users from left navigation pane and then select your user name from the list.
  3. Click the Security Credentials tab.
  4. In the Access Keys section, click Create access key.
  5. From the window that displays after the access key and corresponding secret access key are created, download the .csv file that contains the keys or copy and save the keys.Note

    Save the Access key ID and Secret access key and use them when you configure a log source in JSA.

    Note

    You can view the Secret access key only when it is created.