Ingest Network Route 53 Logs from Amazon S3 - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Take advantage of Cortex XSIAM investigation capabilities and set up network Route 53 ingestion for your Amazon S3 logs using an AWS CloudFormation Script.

You can forward network AWS Route 53 DNS logs to Cortex XSIAM from Amazon Simple Storage Service (Amazon S3).

To receive network Route 53 DNS logs from Amazon S3, you must first configure data collection from Amazon S3. You can then configure the Collection Integrations settings in Cortex XSIAM for Amazon S3. After you set up collection integration, Cortex XSIAM begins receiving new logs and data from the source.

You can configure Amazon S3 with SQS notification using the AWS CloudFormation Script that we have created for you to make the process easier. The instructions below explain how to configure Cortex XSIAM to receive network Route 53 DNS logs from Amazon S3 using SQS.

Note

For more information on configuring data collection from Amazon S3 for Route 53 DNS logs, see the AWS Documentation.

As soon as Cortex XSIAM begins receiving logs, the app automatically creates an Amazon Route 53 Cortex Query Language (XQL) dataset (amazon_route53_raw). This enables you to search the logs with XQL Search using the dataset. For example, queries refer to the in-app XQL Library. For enhanced cloud protection, you can also configure Cortex XSIAM to ingest network Route 53 DNS logs as Cortex XSIAM network connection stories, which you can query with XQL Search using the xdr_data dataset with the preset called network_story. Cortex XSIAM can also raise Cortex XSIAM alerts (Analytics, Correlation Rules, IOC, and BIOC) when relevant from Amazon Route 53 DNS logs. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.

Enhanced cloud protection provides:

  • Normalization of cloud logs

  • Cloud logs stitching

  • Enrichment with cloud data

  • Detection based on cloud analytics

  • Cloud-tailored investigations

Be sure you do the following tasks before you begin configuring data collection from Amazon S3 using the AWS CloudFormation Script.

  • Ensure that you have the proper permissions to run AWS CloudFormation with the script provided in Cortex XSIAM . You need at a minimum the following permissions in AWS for an Amazon S3 bucket and Amazon Simple Queue Service (SQS):

    • Amazon S3 bucketGetObject

    • SQSChangeMessageVisibility, ReceiveMessage, and DeleteMessage.

  • Ensure that you can access your Amazon Virtual Private Cloud (VPC) and have the necessary permissions to create Route 53 Resolver Query logs.

  • Determine how you want to provide access to Cortex XSIAM to your logs and perform API operations. You have the following options.

    • Designate an AWS IAM user, where you will need to know the Account ID for the user and have the relevant permissions to create an access key/id for the relevant IAM user. This is the default option when you configure the Amazon S3 collection by selecting Access Key.

    • Create an assumed role in AWS to delegate permissions to a Cortex XSIAM AWS service. This role grants Cortex XSIAM access to your flow logs. For more information, see Creating a role to delegate permissions to an AWS service. This is the Assumed Role option when you configure the Amazon S3 collection in Cortex XSIAM. For more information on creating an assumed role for Cortex XSIAM, see Create an Assumed Role.

    To collect Amazon S3 logs that use server-side encryption (SSE), the user role must have an IAM policy that states that Cortex XSIAM has kms:Decrypt permissions. With this permission, Amazon S3 automatically detects if a bucket is encrypted and decrypts it. If you want to collect encrypted logs from different accounts, you must have the decrypt permissions for the user role also in the key policy for the master account Key Management Service (KMS). For more information, see Allowing users in other accounts to use a KMS key.

Configure Cortex XSIAM to receive network Route 53 DNS logs from Amazon S3 using the CloudFormation Script.

  1. Download the CloudFormation Script in Cortex XSIAM .

    1. Select SettingsConfigurationsData CollectionData Sources.

    2. In the Amazon S3 configuration, click Add Instance link to begin a new configuration.

    3. To provide access to Cortex XSIAM to your logs and to perform API operations using a designated AWS IAM user, leave the Access Key option selected. Otherwise, select Assumed Role, and ensure that you Create an Assumed Role for before continuing with these instructions.

    4. For the Log Type, select Route 53 to configure your log collection to receive network Route 53 DNS logs from Amazon S3, and the following text is displayed under the field Download CloudFormation Script. See instructions here.

    5. Click the Download CloudFormation Script. link to download the script to your computer.

  2. Create a new Stack in the CloudFormation Console with the script you downloaded from Cortex XSIAM .

    Note

    For more information on creating a Stack, see Creating a stack on the AWS CloudFormation console.

    1. Log in to the CloudFormation Console.

    2. From the CloudFormationStacks page, ensure that you have selected the correct region for your configuration.

    3. Select Create SlackWith new resources (standard).

    4. Specify the template that you want AWS CloudFormation to use to create your stack. This template is the script that you downloaded from Cortex XSIAM , which will create an Amazon S3 bucket, Amazon Simple Queue Service (SQS) queue, and Queue Policy. Configure the following settings in the Specify template page.

      • Prerequisite - Prepare templatePrepare template—Select Template is ready.

      • Specify Template

        • Template source—Select Upload a template file.

        • Upload a template fileChoose file, and select the CloudFormation-Script.json file that you downloaded.

    5. Click Next.

    6. In the Specify stack details page, configure the following stack details.

      • Stack name—Specify a descriptive name for your stack.

      • ParametersCortex XDR Flow Logs Integration

        • Bucket Name—Specify the name of the S3 bucket to create, where you can leave the default populated name as xdr-route53-logs or create a new one. The name must be unique.

        • Publisher Account ID—Specify the AWS IAM user account ID with whom you are sharing access.

        • Queue Name—Specify the name for your Amazon SQS queue to create, where you can leave the default populated name as xdr-route53 or create a new one. The name must be unique.

    7. Click Next.

    8. In the Configure stack options page, there is nothing to configure, so click Next.

    9. In the Review page, look over the stack configurations settings that you have configured and if they are correct, click Create stack. If you need to make a change, click Edit beside the particular step that you want to update.

      The stack is created and is opened with the Events tab displayed. It can take a few minutes for the new Amazon S3 bucket, SQS queue, and Queue Policy to be created. Click Refresh to get updates. Once everything is created, leave the stack opened in the current browser as you will need to access information in the stack for other steps detailed below.

      Note

      For the Amazon S3 bucket created using CloudFormation, it is the customer’s responsibility to define a retention policy by creating a Lifecycle rule in the Management tab. We recommend setting the retention policy to at least 7 days to ensure that the data is retrieved under all circumstances.

  3. Configure Route 53 Query Logging in AWS.

    1. Log in to the AWS Management Console.

    2. From the menu bar, ensure that you have selected the correct region for your configuration.

    3. Search for Route 53 and select ResolverQuery Logging.

    4. Configure query logging.

    5. Set the following parameters in the different sections on the Configure query logging page.

      • Query logging configuration name

        • Name—Specify a name for your Resolver query logging configuration.

      • Query logs destination

        • Destination for query logs—Select S3 bucket as the place where you want Resolver to publish query logs.

        • Amazon S3 bucketBrowse S3 to select the Amazon S3 bucket created after running the CloudFormation script, which is by default called xdr-route53-logs or select the one that you created.

      • VPCs to log queries for

        • Add VPC—Clicking the Add VPC button opens the Add VPC page, where you can choose the VPCs that you want to log queries for. When you are done, click Add.

    6. Click Configure query logging.

  4. Configure access keys for the AWS IAM user that Cortex XSIAM uses for API operations.

    Note

    • It is the responsibility of the customer’s organization to ensure that the user who performs this task of creating the access key is designated with the relevant permissions. Otherwise, this can cause the process to fail with errors.

    • Skip this step if you are using an Assumed Role for Cortex XSIAM.

    1. Open the AWS IAM Console, and in the navigation pane, select Access managementUsers.

    2. Select the User name of the AWS IAM user.

    3. Select the Security credentials tab, scroll down to the Access keys section, and click Create access key.

    4. Click the copy icon next to the Access key ID and Secret access key keys, where you must click Show secret access key to see the secret key and record them somewhere safe before closing the window. You will need to provide these keys when you edit the Access policy of the SQS queue and when setting the AWS Client ID and AWS Client Secret in Cortex XSIAM. If you forget to record the keys and close the window, you will need to generate new keys and repeat this process.

    Note

    For more information, see Managing access keys for IAM users.

  5. When you create an Assumed Role, ensure that you edit the policy that defines the permissions for the role with the S3 Bucket ARN and SQS ARN, which is taken from the stack you created.

    Note

    Skip this step if you are using an Access Key to provide access to Cortex XSIAM.

  6. Configure the Amazon S3 collection in Cortex XSIAM .

    1. Select SettingsConfigurationsData CollectionData Sources.

    2. In the Amazon S3 configuration, click Add Instance to begin a new configuration.

    3. Set these parameters, where the parameters change depending on whether you configured an Access Key or Assumed Role.

      • SQS URL—Specify the SQS URL, which is taken from the stack you created. In the browser you left open after creating the stack, open the Outputs tab, copy the Value of the QueueURL and paste it in this field.

      • Name—Specify a descriptive name for your log collection configuration.

      • When setting an Access Key, set these parameters.

        • AWS Client ID—Specify the Access key ID, which you received when you created access keys for the AWS IAM user in AWS.

        • AWS Client Secret—Specify the Secret access key you received when you created access keys for the AWS IAM user in AWS.

      • When setting an Assumed Role, set these parameters.

        • Role ARN—Specify the Role ARN for the Assumed Role you created for Cortex XSIAMin AWS.

        • External Id—Specify the External Id for the Assumed Role you created for Cortex XSIAM in AWS.

      • Log Type—Select Route 53 to configure your log collection to receive network Route 53 DNS logs from Amazon S3. When configuring network Route 53 log collection, the following additional field is displayed for Enhanced Cloud Protection.

        You can Normalize DNS logs by selecting the checkbox (default configuration). When selected, Cortex XSIAM ingests the network Route 53 DNS logs as XDR network connection stories, which you can query using XQL Search from the xdr_data dataset using the preset called network_story.

    4. Click Test to validate access, and then click Enable.

      Once events start to come in, a green check mark appears underneath the Amazon S3 configuration with the number of logs received.