Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Amazon Simple Storage Service (AWS S3)

Amazon Simple Storage Service (AWS S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Customers of all sizes and industries can use it to store and protect any amount of data.

Support Added: FortiSIEM 6.5.0

Vendor Version Tested: Not Provided

 

Vendor: Amazon

Product: AWS S3

Product Informationhttps://aws.amazon.com/s3/

 

Configuration

 

Setup in AWS S3

Complete these steps from AWS S3.

 

Generate a New Access Key

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

  2. In the navigation pane, choose Users.

  3. Click Create Users.

  4. In the User name field, enter a user name.

  5. For AWS access type, select Programmatic access - with an access key.

  6. Click Next: Permissions.

  7. Select the Attach existing policies directly tab.

  8. Select AmazonS3ReadOnlyAccess and AmazonSQSFullAccess.

  9. Click Next: Tag.

  10. Click Next: review.

  11. Click Create user.

  12. Click Download Credentials.

  13. Click on the Close button.

    The downloaded CSV file contains the Access Key ID and Secret Access Key that will be used in the FortiSIEM configuration.

 

Enable Event Notifications

  1. Open the Amazon S3 console at https://s3.console.aws.amazon.com/s3/

  2. Select your bucket.

  3. Click Properties.

  4. Click Event notifications> Create event notification.

    1. In the Event name field, enter a event name.

    2. In the Prefix field, enter a prefix.

    3. Under Event types, select All object create events.

    4. For Destination, select SQS queue.

    5. Select your SQS.

    6. Click Save changes.

      For your configuration, make sure of the following.

      • Ensure that there are no other servers that use this SQS.

      • Make sure the property Message retention period of SQS is set to 1 Days.

      • Make sure the property Default visibility timeout of SQS is set to 12 Hours.


Setup in FortiSIEM

Start a Pulling Job by taking the following steps.

  1. Login to FortiSIEM.

  2. Navigate to ADMIN > Device Support > Devices/Apps.

  3. Click New to create a new device type.

  4. In the Category drop-down list, select Device.

    In the Vendor field, enter the vendor name, e.g. "Amazon".

  5. In the Model field, enter the device model, e.g. "SWS S3".

  6. In the Version field, enter the version device.

  7. In the Device/App Group drop-down list, expand Devices, and select a value, e.g. "Generic".

  8. From the Access Protocol drop-down list, select AWS_S3_WITH_SQS.

  9. Click Save.

     

Create a new Access Method Credential by taking the following steps.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Settings Description
      Name Enter a name for the credential
      Device Type Select the device type you created earlier.
      Access Protocol AWS_S3_WITH_SQS
      Bucket Enter your AWS bucket.

      SQS Queue URL

      Enter your SQS queue URL. You must enter the entire URL, for example: https://sqs.us-west-2.amazonaws.com/111111111111/sqsforloadblancer.

      User Name

      Enter the username for your AWS S3 account.
      Note: Make sure no other devices uses the credential. Otherwise, events may be missed in this device.

      Password Enter the password associated with your username.
      Description Description of the device.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to the server.
  5. Navigate to ADMIN > Setup > Pull Events to see the new job.

    Events can be queried from the ANALYTICS page.
Forwarding Logs to S3

Customers can forward any services logs to S3 if those services allow it to do so. Examples include AWS Elastic Load Balancing, Cisco Umbrella. Customer also can upload any logs file to S3 manually.

 

Forward ELB Access Logs to AWS S3

Please refer to “Setup in AWS” at https://docs.fortinet.com/document/fortisiem/6.5.0/external-systems-configuration-guide/470868/aws-elastic-load-balancer#AWS

 

Forward Cisco Umbrella Log to AWS S3

Please refer to https://docs.umbrella.com/deployment-umbrella/docs/setting-up-an-amazon-s3-bucket.

 

Upload Log File to AWS S3

Take the following steps.

  1. Open the Amazon S3 console at https://s3.console.aws.amazon.com/s3/.

  2. Select your bucket.

  3. Click Upload and then click Add files.

  4. Select log files and click Upload.
    Note: The log files in S3 must be .txt or .txt in gz format.

Sample Events

Logs from AWS ELB

AWS_S3_LOG_KEYWORD_1:phCustId=1,reptDevIpAddr=192.0.2.20,reptDevName=amazon.com,msg=http 2021-02-11T01:56:06.000372Z app/shashi-elb/061d492a88a60fb1 192.0.2.108:46938 - -1 -1 -1 503 - 500 337 "POST http://192.0.2.144:80/form/admin/formLogin HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" - - arn:aws:elasticloadbalancing:us-west-2:623885071509:targetgroup/shashi-tg/974fbb8764192573 "Root=1-60248eb5-01950dcf187ac3c244ab2231" "-" "-" 0 2021-02-11T01:56:05.999000Z "forward" "-" "-" "-" "-" "-" "-"

 

Logs from AWS Cloudtrail

AWS_S3_LOG_KEYWORD_1:phCustId=1,reptDevIpAddr=10.10.103.205,reptDevName=amazon.com,msg= {"Records":[{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDAZCQTSWSKVN6P266F6","arn":"arn:aws:iam::623885071509:user/dusan","accountId":"623885071509","accessKeyId":"ASIAZCQTSWSKZ5NL34OB","userName":"dusan","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"mfaAuthenticated":"false","creationDate":"2019-09-05T09:05:25Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2019-09-05T11:16:21Z","eventSource":"lambda.amazonaws.com","eventName":"ListFunctions20150331","awsRegion":"us-west-1","sourceIPAddress":"85.241.114.212","userAgent":"signin.amazonaws.com","requestParameters":null,"responseElements":null,"requestID":"26057495-d109-4366-9961-77955807e508","eventID":"321c137a-8999-48a3-89f6-7168e4107ecb","eventType":"AwsApiCall","recipientAccountId":"623885071509"}]}

Amazon Simple Storage Service (AWS S3)

Amazon Simple Storage Service (AWS S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. Customers of all sizes and industries can use it to store and protect any amount of data.

Support Added: FortiSIEM 6.5.0

Vendor Version Tested: Not Provided

 

Vendor: Amazon

Product: AWS S3

Product Informationhttps://aws.amazon.com/s3/

 

Configuration

 

Setup in AWS S3

Complete these steps from AWS S3.

 

Generate a New Access Key

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

  2. In the navigation pane, choose Users.

  3. Click Create Users.

  4. In the User name field, enter a user name.

  5. For AWS access type, select Programmatic access - with an access key.

  6. Click Next: Permissions.

  7. Select the Attach existing policies directly tab.

  8. Select AmazonS3ReadOnlyAccess and AmazonSQSFullAccess.

  9. Click Next: Tag.

  10. Click Next: review.

  11. Click Create user.

  12. Click Download Credentials.

  13. Click on the Close button.

    The downloaded CSV file contains the Access Key ID and Secret Access Key that will be used in the FortiSIEM configuration.

 

Enable Event Notifications

  1. Open the Amazon S3 console at https://s3.console.aws.amazon.com/s3/

  2. Select your bucket.

  3. Click Properties.

  4. Click Event notifications> Create event notification.

    1. In the Event name field, enter a event name.

    2. In the Prefix field, enter a prefix.

    3. Under Event types, select All object create events.

    4. For Destination, select SQS queue.

    5. Select your SQS.

    6. Click Save changes.

      For your configuration, make sure of the following.

      • Ensure that there are no other servers that use this SQS.

      • Make sure the property Message retention period of SQS is set to 1 Days.

      • Make sure the property Default visibility timeout of SQS is set to 12 Hours.


Setup in FortiSIEM

Start a Pulling Job by taking the following steps.

  1. Login to FortiSIEM.

  2. Navigate to ADMIN > Device Support > Devices/Apps.

  3. Click New to create a new device type.

  4. In the Category drop-down list, select Device.

    In the Vendor field, enter the vendor name, e.g. "Amazon".

  5. In the Model field, enter the device model, e.g. "SWS S3".

  6. In the Version field, enter the version device.

  7. In the Device/App Group drop-down list, expand Devices, and select a value, e.g. "Generic".

  8. From the Access Protocol drop-down list, select AWS_S3_WITH_SQS.

  9. Click Save.

     

Create a new Access Method Credential by taking the following steps.

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:

      Settings Description
      Name Enter a name for the credential
      Device Type Select the device type you created earlier.
      Access Protocol AWS_S3_WITH_SQS
      Bucket Enter your AWS bucket.

      SQS Queue URL

      Enter your SQS queue URL. You must enter the entire URL, for example: https://sqs.us-west-2.amazonaws.com/111111111111/sqsforloadblancer.

      User Name

      Enter the username for your AWS S3 account.
      Note: Make sure no other devices uses the credential. Otherwise, events may be missed in this device.

      Password Enter the password associated with your username.
      Description Description of the device.
  3. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to the server.
  5. Navigate to ADMIN > Setup > Pull Events to see the new job.

    Events can be queried from the ANALYTICS page.
Forwarding Logs to S3

Customers can forward any services logs to S3 if those services allow it to do so. Examples include AWS Elastic Load Balancing, Cisco Umbrella. Customer also can upload any logs file to S3 manually.

 

Forward ELB Access Logs to AWS S3

Please refer to “Setup in AWS” at https://docs.fortinet.com/document/fortisiem/6.5.0/external-systems-configuration-guide/470868/aws-elastic-load-balancer#AWS

 

Forward Cisco Umbrella Log to AWS S3

Please refer to https://docs.umbrella.com/deployment-umbrella/docs/setting-up-an-amazon-s3-bucket.

 

Upload Log File to AWS S3

Take the following steps.

  1. Open the Amazon S3 console at https://s3.console.aws.amazon.com/s3/.

  2. Select your bucket.

  3. Click Upload and then click Add files.

  4. Select log files and click Upload.
    Note: The log files in S3 must be .txt or .txt in gz format.

Sample Events

Logs from AWS ELB

AWS_S3_LOG_KEYWORD_1:phCustId=1,reptDevIpAddr=192.0.2.20,reptDevName=amazon.com,msg=http 2021-02-11T01:56:06.000372Z app/shashi-elb/061d492a88a60fb1 192.0.2.108:46938 - -1 -1 -1 503 - 500 337 "POST http://192.0.2.144:80/form/admin/formLogin HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" - - arn:aws:elasticloadbalancing:us-west-2:623885071509:targetgroup/shashi-tg/974fbb8764192573 "Root=1-60248eb5-01950dcf187ac3c244ab2231" "-" "-" 0 2021-02-11T01:56:05.999000Z "forward" "-" "-" "-" "-" "-" "-"

 

Logs from AWS Cloudtrail

AWS_S3_LOG_KEYWORD_1:phCustId=1,reptDevIpAddr=10.10.103.205,reptDevName=amazon.com,msg= {"Records":[{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDAZCQTSWSKVN6P266F6","arn":"arn:aws:iam::623885071509:user/dusan","accountId":"623885071509","accessKeyId":"ASIAZCQTSWSKZ5NL34OB","userName":"dusan","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"mfaAuthenticated":"false","creationDate":"2019-09-05T09:05:25Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2019-09-05T11:16:21Z","eventSource":"lambda.amazonaws.com","eventName":"ListFunctions20150331","awsRegion":"us-west-1","sourceIPAddress":"85.241.114.212","userAgent":"signin.amazonaws.com","requestParameters":null,"responseElements":null,"requestID":"26057495-d109-4366-9961-77955807e508","eventID":"321c137a-8999-48a3-89f6-7168e4107ecb","eventType":"AwsApiCall","recipientAccountId":"623885071509"}]}