TABLE OF CONTENT
1. Introduction2. Supported AWS Services Log Types3. Architecture Diagram4. Step-by-Step Guide to Setting Up SIEM5. Conclusion 6. CloudThat 7. FAQs1. Introduction
SIEM using Amazon OpenSearch Service (successor to SIEM using Amazon Elasticsearch Service), is a solution for collecting logs from different AWS accounts. It allows you to associate and visualize logs in order to assist with investigating security incidents. The AWS Cloud Formation template is available for deployment.
AWS logs are placed into a specific Amazon Simple Storage Service (Amazon S3) Bucket. The AWS Lambda function that is triggered during deployment automatically loads those logs into SIEM. OpenSearch Service allows users to view multiple visualized logs from different AWS services and to check multiple logs in order to investigate various security issues.
2. Supported AWS Services Log Types
SIEM on OpenSearch Service supports the following log types.
Security, Identity, & Compliance:
Management & Governance
Networking and Content Delivery
3. ARCHITECTURE DIAGRAM
4. Step-by-Step Guide to Setup SIEM Using AWS OpenSearch Service & Cloud Formation Template
Step 1: Verify that IAM user has access to AWS cloud formation policies.
For AWS cloud formation policies, get permission from the administrator
Step 2: Use the search bar to search for Cloud formation
Step 3: Click Create Stack
Select the Template is ready URL. Then copy the URL below and edit the region where SIEM must be created. Click on next
If required, enter stack details and the stack name.
Select the role you want to create a stack by clicking on configure, Stack options. Or leave it blank for AWS managed roles creation
Click on Next and review, then click on Create Stack
Step 4: Verify the Status of the Stack
It will take 20 minutes to create the stack. Wait until you see the status as created successfully
After stack is successfully created, click on Outputs to copy the URL, User ID and password
Step 5: Type OpenSearch Service into the search bar, and then click on it.
Click on Domains in left panel to select the domain you want to use as your stack
Scroll down to select configurations. Scroll down to access policy. Add your IP address and save changes. If your IP address or office IP address has not been added, the Open search dashboard will not open.
To check the IP address of your system click on this URL https://checkip.amazonaws.com/
Step 6: Login to OpenSearch Dashboard
Open the URL for the OpenSearch dashboard in the new tab you have created from CloudFormation stacks output. Then, enter the ID and password
Click on Confirm to confirm the Global Tenant selection
SIEMs will have access to the OpenSearch dashboard.
Next blog will show you how to add logs from different services to AWS SIEM Logs S3 bucket. You will also see how to visualize the required Dashboards. We will also learn what all resources were created by the CloudFormation Template.
6. About CloudThat
CloudThat is an official AWS Advanced Consulting Partner and Microsoft Gold Partner. We help people learn about the cloud and help them achieve higher goals by using the best cloud computing practices and expertise. Our mission is to create a strong cloud computing ecosystem by sharing knowledge about technological intricacies in the cloud space. We provide information for all stakeholders in the cloud computing industry through our blogs, webinars and case studies.
We will be happy to answer any questions or comments you may have about Amazon OpenSearch Service, SIEM Configuration or any other consulting needs.