This allows you to control the granularity of the events that get logged and the length of time those logs are retained. This is helpful as a default, but as a best practice it’s important to create your own CloudTrail that sends events to a S3 bucket of your choosing. By default, AWS enables a default CloudTrail for every account - it records the most essential events and retains them for 90 days. Building a detection strategy for Amazon CloudTrail Why Amazon CloudTrail is usefulĭownload the kitIf you aren’t familiar with Amazon CloudTrail, think of it as an audit log of all AWS activities that happen in your account. Now that you’ve got data flowing, the next step is making sense of it. Once you’ve hooked up Sumo Logic, you can validate data flow by issuing queries against the CloudTrail data like so: This can be done right in the AWS console with a few button clicks or via the CloudTrail API and takes about five minutes. In a few easy steps, you can create a trail and get data flowing by granting Sumo Logic access to the S3 bucket containing the logs. Drawing actionable insights from the dataĪ log management (aka SIEM) solution like Sumo Logic does all of the heavy lifting, connecting up to your sources of data and providing an intuitive search interface that lets you generate alerts and perform investigations.įor example, you can easily onboard Amazon CloudTrail data from AWS with the built-in connector (more on CloudTrail in a moment).How does a SIEM help?Īnyone who works in security knows that there are two high-level problems that need to be solved to effectively monitor an environment: Regardless of what SIEM you use, I’ll share some detection use cases (with examples!) that you can try out in your own environment. In this post, I’ll show you how Expel uses a SIEM (in this example, we’ll take a look at Sumo Logic) to generate security leads from AWS signals.
#Sumo timeslice full
Combine that uncertainty with an already long laundry list and the result is this: Most organizations using cloud platforms are not taking full advantage of the signals available to them.īut there’s some good news: There are lots of great technology solutions we can use to help us get a better handle on those signals. Sure, security professionals have had decades of experience monitoring traditional enterprise networks, but services like AWS, Microsoft Azure and Google Cloud Platform come with additional sources of valuable data - which is frustratingly unfamiliar if you’re used to racking and stacking your own servers. As orgs increasingly shift some of their workloads to cloud providers like Amazon Web Services (AWS), it’s often challenging to get the right level of visibility into these new environments for security monitoring purposes.
0 kommentar(er)
