- What is Discovered and Monitored
- Settings for Access Credentials
- Sample Events for AWS CloudTrail
- Performance Tuning for High EPS CloudTrail Events
|Protocol||Information Discovered||Metrics Collected||Used For|
|CloudTrail API||None||None||Security Monitoring|
In ADMIN > Device Support > Event, search for "Cloudtrail" in the Device Type column to see the event types associated with this device. See the Amazon API reference for more information about the event types available for CloudTrail monitoring.
In RESOURCE > Reports, search for "cloudtrail" in the Name column to see the rules associated with this device.
If you have not already configured Access Keys and permissions in AWS, please follow the steps outlined in AWS Access Key IAM Permissions and IAM Policies.
FortiSIEM receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS) to create a notification for the log file and have it delivered by SQS. In your FortiSIEM virtual appliance you then enter access credentials so FortiSIEM can communicate with CloudTrail as it would any other device.
- Log in to https://console.aws.amazon.com/cloudtrail.
- Switch to the region for which you want to generate cloud trail logs.
- Click Trails.
- Click on Add New Trail
- Enter a Trail name such as
Select Yes for Apply Trail to all regions.
FortiSIEM can pull trails from all regions via a single credential.
- Select Yes for Create a new S3 bucket.
- For S3 bucket, enter a name like s3aocloudtrail.
- Click Advanced.
- Select Yes for Create a new SNS topic.
- For SNS topic, enter a name like
- Leave the rest of advanced settings to the default values.
- Click Create.
A dialog will confirm that logging is turned on.
- Log in to https://console.aws.amazon.com/sqs.
- Switch to the region in which you created a new cloudtrail above
- Click Create New Queue.
- Enter a Queue Name such as
Setting Value Default Visibility Timeout 0 seconds Message Retention Period
This must be set for between 5 and 50 minutes. A lower value is recommended for high event rates to avoid event loss.
10 minutes Maximum Message Size 256 KB Delivery Delay 0 seconds Receive Message Wait Time 5 seconds
- Click Create Queue.
- When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will need this when configuring the Simple Notification Service below and when configuring the access credentials for FortiSIEM.
- Log in to https://console.aws.amazon.com/sns.
- Switch to the region where you created the trail and SQS.
- Select Topics.
- Select the SNS topic
snsaocloudtrailthat you specified when creating a cloudtrail.
- Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription.
- For Protocol, select Amazon SQS.
- For Endpoint, enter the ARN of the queue that you created when setting up SQS.
- Click Create Subscription.
- Log in to https://console.aws.amazon.com/sqs.
- Select the queue you created,
- In the Queue Actions menu, select Subscribe Queue to SNS Topic.
- From the Choose a Topic dropdown, select the SNS topic
snsaocloudtrailthat you created earlier.
- The Topic ARN will be automatically filled.
- Click Subscribe.
Note: Ensure that SQS, SNS, S3 bucket and CloudTrail are in the same region.
You do not need to initiate discovery of AWS Cloud Trail, but should check that FortiSIEM is pulling events for AWS by checking for an amazon.com entry in ADMIN > Setup > Event Pulling.
Use these Access Method Definition settings to allow FortiSIEM to communicate with the CloudTrail API.
|Device Type||Amazon AWS CloudTrail|
|Access Protocol||Amazon AWS CloudTrail|
|Region||Region where you created the trail.|
|Bucket||The name of the S3 bucket you created (
|SQS Queue URL||Enter the ARN of your queue without the
|Password Config||See Password Configuration.|
|Access Key ID||The access key for your AWS instance.|
|Secret Key||The secret key for your AWS instance.|
|Organization||Select an organization from the drop-down list.|
Fri Oct 10 14:44:23 2014 FortiSIEM-CloudTrail [additionalEventData/LoginTo]=https://console.aws.amazon.com/console/home?state= hashArgs%23&isauthcode=true
[additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east-1 [eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin [eventSource]=SIGNIN [eventTime]=2014-10-10T06:38:11Z [eventVersion]=1.01 [requestParameters]=null [responseElements/ConsoleLogin]=Success [sourceIPAddress]=22.214.171.124 [userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams [userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW [userIdentity/type]=IAMUser [userIdentity/userName]=John.Adams Fri Oct 10 14:19:45 2014 FortiSIEM-CloudTrail [awsRegion]=us-east-1 [eventID]=351bda80-39d4-41ed-9e4d-86d6470c2436 [eventName]=DescribeInstances [eventSource]=EC2 [eventTime]=2014-10-10T06:12:24Z [eventVersion]=1.01 [requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803 [requestParameters/filterSet/items/0/name]=private-ip-address [requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233 [responseElements]=null [sourceIPAddress]=126.96.36.199 [userAgent]=aws-sdk-php2/2.4.7 Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3 [userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A [userIdentity/accountId]=623885071509 [userIdentity/arn]=arn:aws:iam::623885071509:root [userIdentity/principalId]=623885071509 [userIdentity/type]=Root [userIdentity/userName]=accelops
AWS CloudTrail can generate a lot of events. Follow these recommendations to enable FortiSIEM to keep up with high EPS CloudTrail events.
- In the AWS configuration, change the Message retention period of SQS to 1 day.
- Adjust the
CloudTrailevent pulling parameters as follows. Go to the Collector that pulls AWS CloudTrail events. You will find these three relevant parameters in the
cloudtrail_msg_pull_interval(default 30 seconds, minimum recommended 10 seconds) - how often CloudTrail events are pulled.
cloudtrail_msg_pull_thread_num(default 1, maximum recommended 60) - how many threads are used to pull CloudTrail events.
cloudtrail_file_parse_thread_num(default 3, maximum recommended 60) - how many threads are used to parse CloudTrail events.
Since each API call returns maximum 10 files, set the parameters to satisfy the following two constraints. If the thread count is high, then you must increase the number of vCPUs in the Collector.
- Set (
cloudtrail_msg_pull_interval) to be smaller than (
cloudtrail_msg_pull_thread_numto be equal to