From e326cd03d1f59e9d6a2930b9629e9e89e8a3cc02 Mon Sep 17 00:00:00 2001 From: Ky Date: Fri, 28 Jun 2024 13:47:16 +0100 Subject: [PATCH 1/2] :memo:updating logs to cortex runbook --- .../logs-to-soc-cortex-xsiam.html.md.erb | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb b/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb index e6e5b9ab..a39d534c 100644 --- a/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb +++ b/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb @@ -11,10 +11,10 @@ Cloud Platform logs from various sources are being pushed to the SOC team's secu We are currently pushing the following logs: 1. Cloudtrail logs +2. `live-1` VPC FlowLogs We are planning to push the following logs in the coming sprints. [Epic found here]. -2. `live-1` VPC FlowLogs 3. Route 53 logs 4. EKS logs @@ -22,19 +22,26 @@ We are planning to push the following logs in the coming sprints. [Epic found he ### Architecture We have followed Palo Alto's documentation on implementation to allow [Cortex XSIAM to injest logs from Cloudtrail]. -Cloudtrail logs are written to a S3 bucket. The implementation consist of enabling the S3 bucket to trigger event notifications to an SQS queue. An IAM user with access keys has been created to grant Cortex XSIAM to accesse the SQS queue and recieves all the log messages. The terraform code for this implementation is found in the [cloud-platform-terraform-infrastructure] repository. +Cloudtrail logs are written to a S3 bucket. The implementation consist of enabling the S3 bucket to trigger event notifications to an SQS queue. An IAM user with access keys has been created to grant Cortex XSIAM to access the SQS queue and recieves these messages. Cortex XSIAM then uses the references in these messages to retrieve the logs from the S3 bucket. The terraform code for this implementation is found in the [cloud-platform-terraform-infrastructure] repository. -### IAM User access keys rotation -We need put in a mechanism to periodically rotate the IAM User access keys created for Cortex XSIAM to recieve the logs. [Suggestion and issue] for this has been raised. +## 2. `live-1` VPC FlowLogs +### Architecture +We have followed Palo Alto's documentation on implementation to allow [Cortex XSIAM to injest VPC flowlogs from S3]. + +This implementation follows the same architectural pattern as pushing CloudTrail logs above. VPC flowlogs are written to a S3 bucket and triggers event notifications to an SQS queue. Cortex XSIAM then uses the references in these messages to retrieve the logs from the S3 bucket. The same IAM user access keys are used here. The terraform code for this implementation is found in the [cloud-platform-terraform-infrastructure] repository. -## 2. VPC FlowLogs -To be implemented ## 3. Route53 logs To be implemented ## 4. EKS logs To be implemented + +## Todo +### IAM User access keys rotation +We need put in a mechanism to periodically rotate the IAM User access keys created for Cortex XSIAM to recieve the logs. [Suggestion and issue] for this has been raised. + [Cortex XSIAM to injest logs from Cloudtrail]: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Audit-Logs-from-AWS-Cloud-Trail +[Cortex XSIAM to injest VPC flowlogs from S3]: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Network-Flow-Logs-from-Amazon-S3 [Epic found here]: https://github.com/ministryofjustice/cloud-platform/milestone/35 [cloud-platform-terraform-infrastructure]: https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/sqs.tf [Suggestion and issue]: https://github.com/ministryofjustice/cloud-platform/issues/5724 From 7693d557d19b273ddcb22594c8b5736a0cac6865 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 28 Jun 2024 12:49:30 +0000 Subject: [PATCH 2/2] Commit changes made by code formatters --- runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb b/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb index a39d534c..2970f91f 100644 --- a/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb +++ b/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb @@ -35,7 +35,6 @@ To be implemented ## 4. EKS logs To be implemented - ## Todo ### IAM User access keys rotation We need put in a mechanism to periodically rotate the IAM User access keys created for Cortex XSIAM to recieve the logs. [Suggestion and issue] for this has been raised.