Amazon Web Services (AWS)

Version: Amazon Web Services (AWS).

Amazon Web Services (AWS) is a collection of remote computing services (also called web services) that together make up a cloud computing platform, offered over the internet by Amazon.com. Netsurion Open XDR helps to monitor events from AWS using CloudTrail. This is achieved by creating some necessary reports, alerts, and dashboards. Reports will contain a detailed overview of the activities like login/ logout, login failed, network interface activity, bucket activity, security group activity, and user management activities.

Alerts will be triggered when a critical security event is detected as login failed, user deleted, or network interface deleted. The dashboard provides a visual representation of all the CloudTrail events in a categorized view. This includes graph pattern, tabular pattern, map, and meter gauge. Once events are received into Netsurion Open XDR , Reports, Knowledge Objects, Categories and Dashboards can be configured into Netsurion.

Netsurion Open XDR monitors all the Amazon Web Services events from services like Amazon EC2 and Amazon VPC, they are given as below:-

  • Security – Login failed, Network interface deleted, User removed, Security group activity
  • Compliance – Policy activity, User-Management activity
  • Operation – Login success, Bucket-Object activity, Network Interface created

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Security AWS – Network Interface Deleted This alert will be triggered if there is any activity related to VPC network interface deletion.
Security AWS – S3 User Deleted This alert will be triggered if a user gets deleted.
Compliance AWS – CIS Control AWS Config configuration changed This alert will be triggered when the configuration is changed in the AWS Config. it will help ensure sustained visibility of configuration items within the AWS account.
Compliance AWS – CIS Control AWS Management Console authentication failures This alert will be triggered in the event of any failed or unauthorized login attempt to the AWS management console.
Compliance AWS – CIS Control changes to Network Access Control Lists (NACL) detected This alert will be triggered in the event of any changes to Network Access Control Lists is detected. Monitoring changes to NACLs will help ensure that the AWS resources and services are not unintentionally exposed.
Compliance AWS – CIS Control Changes to network gateways detected This alert will be triggered in the event of any changes to the network gateway is detected. Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path.
Compliance AWS – CIS Control CloudTrail configuration changed This alert will be triggered in the event of any CloudTrail configuration is changed. Monitoring changes to CloudTrail’s configuration will help ensure sustained visibility to activities performed in the AWS account.
Compliance AWS – CIS Control Disabling or scheduled deletion of customer created CMKs This alert will be triggered in the event of any disabling or scheduled deletion of customer created CMKs. Monitoring changes to CloudTrail’s configuration will help ensure sustained visibility to activities performed in the AWS account.
Compliance AWS – CIS Control IAM policy changed This alert will be triggered in the event of any IAM policy changed. Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.
Compliance AWS – CIS Control Management Console signed-in without MFA This alert will be triggered in the event of any user signed-in without MFA. Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA.
Compliance AWS – CIS Control Route table changed This alert will be triggered in the event of any Route table changed. Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path.
Compliance AWS – CIS Control S3 bucket policy changed This alert will be triggered in the event of the s3 bucket policy changed. Monitoring changes to the S3 bucket policies may reduce the time to detect and correct permissive policies on sensitive S3 buckets.
Compliance AWS – CIS Control Security group changed This alert will be triggered in the event of the s3 bucket policy changed. Monitoring changes to the security group will help ensure that resources and services are not unintentionally exposed.
Compliance AWS – CIS Control Unauthorized API calls This alert is triggered in the event of unauthorized API calls detected. Monitoring unauthorized API calls will help reveal application errors and may reduce the time to detect malicious activity.
Compliance AWS – CIS Control Usage of root account detected This alert will be triggered in the event of root account usage detected. Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it.
Compliance AWS – CIS Control VPC configuration changed This alert will be triggered in the event of VPC changed. Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact.

Reports

Type Name Description
Security AWS – Login Failed Activity This report will generate a detailed view of failed or unauthorized logins to the AWS management console.
Security AWS – Security Group Activity This report will generate a detailed view of the activities related to the security groups, i.e. CreateSecurityGroup, AuthorizeSecurityGroupIngress, DeleteSecurityGroup, etc.
Operations AWS – Login Success Activity This report will generate a detailed view of the successful user login or authentication to the AWS management console.
Operations AWS – Network Interface Activity This report will generate a detailed view of the activity related to network interface create, delete, reset, modify, detach, attach, etc.
Operations AWS – Bucket Level Activity This report will generate a detailed view of the activities related to the Amazon S3 bucket. This includes CreateBucket, PutBucketPolicy, ListBuckets, etc.
Compliance AWS – Policy Activity This report will generate a detailed view of the activities related to policy, i.e. AttachUserPolicy, GetPolicy, DetachRolePolicy, CreatePolicy, etc.
Compliance AWS – User Management Activity This report will generate a detailed view of the activities related to user or group create, delete, add, remove, etc.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x and later, and Amazon Web Services.

Download Integration Guide and How-to Guide for configuration instructions and more information.