Take advantage of Cortex XSIAM investigation capabilities and set up network flow log ingestion for your Amazon S3 logs using an AWS CloudFormation Script.
You can forward network flow logs to Cortex XSIAM from Amazon Simple Storage Service (Amazon S3).
To receive network flow logs from Amazon S3, you must first configure data collection from Amazon S3. You can then configure the Data Sources settings in Cortex XSIAM for Amazon S3. After you set up collection integration, Cortex XSIAM begins receiving new logs and data from the source.
You can either configure Amazon S3 with SQS notification manually on your own or use the AWS CloudFormation Script that we have created for you to make the process easier. The instructions below explain how to configure Cortex XSIAM to receive network flow logs from Amazon S3 using SQS. To perform these steps manually, see Configure Data Collection from Amazon S3 Manually.
Note
For more information on configuring data collection from Amazon S3, see the Amazon S3 Documentation.
As soon as Cortex XSIAM begins receiving logs, the app automatically creates an Amazon S3 Cortex Query Language (XQL) dataset (aws_s3_raw
). This enables you to search the logs with XQL Search using the dataset. For example, queries refer to the in-app XQL Library. For enhanced cloud protection, you can also configure Cortex XSIAM to ingest network flow logs as Cortex XSIAM network connection stories, which you can query with XQL Search using the xdr_data
dataset with the preset called network_story
. Cortex XSIAM can also raise Cortex XSIAM alerts (Analytics, Correlation Rules, IOC, and BIOC) when relevant from Amazon S3 logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.
Enhanced cloud protection provides the following:
Normalization of cloud logs
Cloud logs stitching
Enrichment with cloud data
Detection based on cloud analytics
Cloud-tailored investigations
Be sure you do the following tasks before you begin configuring data collection from Amazon S3 using the AWS CloudFormation Script.
Ensure that you have the proper permissions to run AWS CloudFormation with the script provided in Cortex XSIAM. You need at a minimum the following permissions in AWS for an Amazon S3 bucket and Amazon Simple Queue Service (SQS):
Amazon S3 bucket—
GetObject
SQS—
ChangeMessageVisibility
,ReceiveMessage
, andDeleteMessage
.
Ensure that you can access your Amazon Virtual Private Cloud (VPC) and have the necessary permissions to create flow logs.
Determine how you want to provide access to Cortex XSIAM to your logs and perform API operations. You have the following options:
Designate an AWS IAM user, where you will need to know the Account ID for the user and have the relevant permissions to create an access key/id for the relevant IAM user. This is the default option as explained in Configure the Amazon S3 Collection in Cortex XSIAM by selecting Access Key.
Create an assumed role in AWS to delegate permissions to a Cortex XSIAM AWS service. This role grants Cortex XSIAM access to your flow logs. For more information, see Creating a role to delegate permissions to an AWS service. This is the Assumed Role option as described in the Configure the Amazon S3 collection in Cortex XSIAM. For more information on creating an assumed role for Cortex XSIAM, see Create an Assumed Role.
To collect Amazon S3 logs that use server-side encryption (SSE), the user role must have an IAM policy that states that Cortex XSIAM has kms:Decrypt permissions. With this permission, Amazon S3 automatically detects if a bucket is encrypted and decrypts it. If you want to collect encrypted logs from different accounts, you must have the decrypt permissions for the user role also in the key policy for the master account Key Management Service (KMS). For more information, see Allowing users in other accounts to use a KMS key.
Configure Cortex XSIAM to receive network flow logs from Amazon S3 using the CloudFormation Script.
Download the CloudFormation Script in Cortex XSIAM .
Select
→ → → .On the Data Sources page, click Add Data Source, search for and select Amazon S3, and click Connect.
To provide access to Cortex XSIAM to your logs and to perform API operations using a designated AWS IAM user, leave the Access Key option selected. Otherwise, select Assumed Role, and ensure that you Create an Assumed Role for before continuing with these instructions.
For the Log Type, select Flow Logs to configure your log collection to receive network flow logs from Amazon S3, and the following text is displayed under the field Download CloudFormation Script. See instructions here.
Click the Download CloudFormation Script. link to download the script to your computer.
Create a new Stack in the CloudFormation Console with the script you downloaded from Cortex XSIAM.
For more information on creating a Stack, see Creating a stack on the AWS CloudFormation console.
Log in to the CloudFormation Console.
From the
→ page, ensure that you have selected the correct region for your configuration.Select
→ .Specify the template that you want AWS CloudFormation to use to create your stack. This template is the script that you downloaded from Cortex XSIAM , which will create an Amazon S3 bucket, Amazon Simple Queue Service (SQS) queue, and Queue Policy. Configure the following settings in the Specify template page.
Template is ready.
→ —SelectSpecify Template
Template source—Select Upload a template file.
Upload a template file—Choose file, and select the
cortex-xdr-create-s3-with-sqs-flow-logs.json
file that you downloaded from Cortex XDR.
Click Next.
In the Specify stack details page, configure the following stack details.
Stack name—Specify a descriptive name for your stack.
→
Bucket Name—Specify the name of the S3 bucket to create, where you can leave the default populated name as xdr-flow-logs or create a new one. The name must be unique.
Publisher Account ID—Specify the AWS IAM user account ID with whom you are sharing access.
Queue Name—Specify the name for your Amazon SQS queue to create, where you can leave the default populated name as xdr-flow or create a new one. The name must be unique.
Click Next.
In the Configure stack options page, there is nothing to configure, so click Next.
In the Review page, look over the stack configurations settings that you have configured and if they are correct, click Create stack. If you need to make a change, click Edit beside the particular step that you want to update.
The stack is created and is opened with the Events tab displayed. It can take a few minutes for the new Amazon S3 bucket, SQS queue, and Queue Policy to be created. Click Refresh to get updates. Once everything is created, leave the stack opened in the current browser as you will need to access information in the stack for other steps detailed below.
Note
For the Amazon S3 bucket created using CloudFormation, it is the customer’s responsibility to define a retention policy by creating a Lifecycle rule in the Management tab. We recommend setting the retention policy to at least 7 days to ensure that the data is retrieved under all circumstances.
Configure your Amazon Virtual Private Cloud (VPC) with flow logs:
Open the Amazon VPC Console, and in the Resources by Region listed, select VPCs to view the VPCs configured for the current region selected. To select another VPC from another region, select See all regions, and select one of them.
Note
To create a new VPC, click Launch VPC Wizard. For more information, see AWS VPC Flow Logs.
From the list of Your VPCs, select the checkbox beside the VPC that you want to configure to create flow logs, and then select → .
Configure the following Flow log settings:
Name - optional—(Optional) Specify a descriptive name for your VPC flow log.
Filter—Select All types of traffic to capture.
Maximum aggregation interval—If you anticipate a heavy flow of traffic, select 1 minute. Otherwise, leave the default setting as 10 minutes.
Destination—Select Send to an Amazon S3 bucket as the destination to publish the flow log data.
S3 bucket ARN—Specify the Amazon Resource Name (ARN) for your Amazon S3 bucket.
You can retrieve your bucket’s ARN by opening another instance of the AWS Management Console in a browser window and opening the Amazon S3 console. In the Buckets section, select the bucket that you created for collecting the Amazon S3 flow logs when you created your stack, click Copy ARN, and paste the ARN in this field.
Log record format—Select Custom Format, and in the Log Format field, specify the following fields to include in the flow log record, which you can select from the list displayed:
account-id
action
az-id
bytes
dstaddr
dstport
end
flow-direction
instance-id
interface-id
packets
log-status
pkt-srcaddr
pkt-dstaddr
protocol
region
srcaddr
srcport
start
sublocation-id
sublocation-type
subnet-id
tcp-flags
type
vpc-id
version
Click Create flow log.
Once the flow log is created, a message indicating that the flow log was successfully created is displayed at the top of the Your VPCs page.
In addition, if you open your Amazon S3 bucket configurations, by selecting the bucket from the Amazon S3 console, the Objects tab contains a folder called AWSLogs/ to collect the flow logs.
Configure access keys for the AWS IAM user that Cortex XSIAM uses for API operations.
Note
It is the responsibility of the customer’s organization to ensure that the user who performs this task of creating the access key is designated with the relevant permissions. Otherwise, this can cause the process to fail with errors.
Skip this step if you are using an Assumed Role for Cortex XSIAM.
Open the AWS IAM Console, and in the navigation pane, select → .
Select the User name of the AWS IAM user.
Select the Security credentials tab, scroll down to the Access keys section, and click Create access key.
Click the copy icon next to the Access key ID and Secret access key keys, where you must click Show secret access key to see the secret key and record them somewhere safe before closing the window. You will need to provide these keys when you edit the Access policy of the SQS queue and when setting the AWS Client ID and AWS Client Secret in Cortex XSIAM. If you forget to record the keys and close the window, you will need to generate new keys and repeat this process.
Note
For more information, see Managing access keys for IAM users.
When you create an Assumed Role in Cortex XSIAM, ensure that you edit the policy that defines the permissions for the role with the S3 Bucket ARN and SQS ARN, which is taken from the Stack you created.
Note
Skip this step if you are using an Access Key to provide access to Cortex XSIAM.
Configure the Amazon S3 collection in Cortex XSIAM.
Select
→ → → .In the Amazon S3 configuration, click Add Instance to begin a new configuration.
Set these parameters, where the parameters change depending on whether you configured an Access Key or Assumed Role.
SQS URL—Specify the SQS URL, which is taken from the stack you created. In the browser you left open after creating the stack, open the Outputs tab, copy the Value of the QueueURL and paste it in this field.
Name—Specify a descriptive name for your log collection configuration.
When setting an Access Key, set these parameters.
AWS Client ID—Specify the Access key ID, which you received when you created access keys for the AWS IAM user in AWS.
AWS Client Secret—Specify the Secret access key you received when you created access keys for the AWS IAM user in AWS.
When setting an Assumed Role, set these parameters.
Role ARN—Specify the Role ARN for the Assumed Role you created for in AWS.
External Id—Specify the External Id for the Assumed Role you created for in AWS.
Log Type—Select Flow Logs to configure your log collection to receive network flow logs from Amazon S3. When configuring network flow log collection, the following additional field is displayed for Enhanced Cloud Protection.
You can Normalize and enrich flow logs by selecting the checkbox. If selected, Cortex XSIAM ingests the network flow logs as XDR network connection stories, which you can query using XQL Search from the
xdr_data
dataset using the preset callednetwork_story
.
Click Test to validate access, and then click Enable.
Once events start to come in, a green check mark appears underneath the Amazon S3 configuration with the number of logs received.