Configure AWS (CloudTrail) Event Sources

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by Scott Marcus on Nov 2, 2017
Version 9Show Document
  • View in full screen mode
  

This topic tells you how to configure the AWS collection protocol, which collects events from Amazon Web Services (AWS) CloudTrail.

This topics tells you how to create and maintain Event filters across all collection protocols.

Note: The AWS plugin is meant only for collecting from AWS CloudTrail logs, and not for collecting from arbitrary logs in S3 buckets (under arbitrary directories). The AWS CloudTrail logs are sent in JSON format, as detailed in the AWS documentation here: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference.html.

How AWS Collection Works

The Log Collector service collects events from Amazon Web Services (AWS) CloudTrail. CloudTrail records AWS API calls for an account. The events contain the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. The AWS API call history provided by CloudTrail events enables security analysis, resource change tracking, and compliance auditing. CloudTrail uses Amazon S3 for log file storage and delivery. NetWitness Suite copies the log files from the cloud (S3 bucket), and sends the events contained in the files to the Log Collector .

Deployment Scenario

The following figure illustrates how you deploy the AWS Collection Protocol in NetWitness Suite.

Diagram shows AWS (CloudTrail) sending events to the local and remote collectors.

Configuration

To configure an AWS (CloudTrail) Event Source:

  1. Go to ADMIN> Services from the NetWitness Suite menu.
  2. Select a Log Collection service.
  3. Under Actions, select > View > Config to display the Log Collection configuration parameter tabs.
  4. Click the Event Sources tab.

    Event Sources tab is displayed.

  1. In the Event Sources tab, select Plugins/Config from the drop-down menu.
  2. In the Event Categories panel toolbar, click .

    The Available Event Source Types dialog is displayed.

  3. Select cloudtrail) and click OK.

    The newly added event source type is displayed in the Event Categories panel.

  4. Select the new type in the Event Categories panel and click  in the Sources toolbar.

    The Add Source dialog is displayed.

  5. Define parameter values. For details, see Configure AWS (CloudTrail) Event Sources in NetWitness Suite below.
  6. Click Test Connection.

    The result of the test is displayed in the dialog box. If the test is unsuccessful, edit the device or service information and retry.

    Log Collectortakes approximately 60 seconds to return the test results. If it exceeds the time limit, the test times out and the NetWitness Suite displays an error message.

  7. If the test is successful, click OK.

    The new event source is displayed in the Sources panel.

AWS Parameters

The following table describes the available configuration parameter for AWS collection.

                                                                                                             
ParameterDescription
ParameterDescription
Basic
Name *Name of the event source.
Enabled Select the check box to enable the event source configuration to start collection. The check box is selected by default.
Account Id *Account Identification code of the S3 Bucket
S3 Bucket Name *

Name of the AWS (CloudTrail) S3 bucket.

Amazon S3 bucket names are globally unique, regardless of the AWS (CloudTrail) region in which you create the bucket. You specify the name at the time you create the bucket.

Bucket names should comply with DNS naming conventions. The rules for DNS-compliant bucket names are:

  • Bucket names must be at least three and no more than 63 characters long.
  • Bucket names must be a series of one or more labels. Adjacent labels are separated by a single period “.”. Bucket names can contain lowercase letters, numbers, and hyphens. Each label must start and end with a lowercase letter or a number.
  • Bucket names must not be formatted as an IP address (for example, 192.168.5.4).

The following examples are valid bucket names:

  • myawsbucket
  • my.aws.bucket
  • myawsbucket.1

The following examples are invalid bucket names:

  • .myawsbucket  -   Do not start a Bucket Name with a period ".".
  • myawsbucket. - Do not end a Bucket Name with a period ".".
  • my..examplebucket - Only use one period between labels.
Access Key *Key used to access the S3 bucket. Access Keys are used to make seure REST or Query protocol requests to any AWS service API.  Please refer to Manage User Credentials on the Amazon Web Services support site for more information on Access Keys.
Secret Key *Secret key used to access the S3 bucket.
Region *Region of the S3 bucket. us-east-1 is the default value.
Region EndpointSpecifies the AWS CloudTrail hostname. For example, for an AWS public cloud for us-east region, the Region Endpoint would be s3.amazonaws.com. More information can be found at http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region. This parameter is necessary to collect CloudTrail logs from AWS Government or Private clouds.

Use Proxy

Enable Use Proxy to set proxy for AWS server. By default, it is disabled.

Proxy Server

Enter the proxy name you want to connect to access the AWS server.

Proxy Port

Enter the port number that connects to the proxy server to access the AWS

server.

Proxy User

Enter the user name to authenticate with the proxy server.

Proxy Password

Enter the password to authenticate with proxy port.

Start Date *Starts AWS (CloudTrail) collection from the specified number of days in the past, measured from the current timestamp. The default value is 0, which starts from today. The range is 0–89 days.
Log File Prefix

Prefix of the files to be processed.

Note: If you set a prefix when you set up your CloudTrail service, make sure to enter the same prefix in this parameter.

Advanced
Debug

Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables or disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.

If you change this value, the change takes effect immediately (no restart required).

Command ArgsArguments added to the script.
Polling IntervalInterval (amount of time in seconds) between each poll. The default value is 60.

 

For example, if you specify 60, the collector schedules a polling of the event source every 60 seconds. If the previous polling cycle is still underway, it will wait for it to finish that cycle. If you have a large number of event sources that you are polling, it may take longer than 60 seconds for the polling to start because the threads are busy.
SSL Enabled

Select the check box to communicate using SSL. The security of data transmission is managed by encrypting information and providing authentication with SSL certificates.

The check box is selected by default.

Test ConnectionValidates the configuration parameters specified in this dialog are correct.  For example, this test validates that:
  • Security Analytics can connect with the S3 Bucket in AWS using the credentials specified in this dialog.
  • Security Analytics can download a log file from the bucket (test connection would fail if there were no log files for the entire bucket, but this would be extremely unlikely).
CancelCloses the dialog without adding the AWS (CloudTrail).
OKAdds the current parameter values as a new AWS (CloudTrail).

 

Previous Topic:Collection Protocols
You are here

Table of Contents > Collection Protocols > Configure AWS (CloudTrail) Event Sources

Attachments

    Outcomes