Trusted Advisor logs should be send to the SOC via splunk

neisije commented 4 years ago

Check where are stored the logs generated by TA today and send this logs to the SOC

neisije commented 4 years ago

Can be done with defining a new cloudwatch events

Cloudwatch Events. Choose Create rule, and then under Event Source, for Service Name, choose Trusted Advisor. Specify status values: ... Specify Trusted Advisor checks: ...

neisije commented 4 years ago

Example of Cloudformation template:

AWSTemplateFormatVersion: 2010-09-09

#   --------------------------------------------------------
#   Version History
#
#   --------------------------------------------------------

Description: >-
  v1.0. Script to send trustedadvisor findings to cloudwatch logs

Parameters:
  LogsRetentionInDays:
    Description: 'Specifies the number of days you want to retain CloudTrail log events in the CloudWatch Logs.'
    Type: Number
    Default: 90
    AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
  TrustedAdvisorLogGroup:
    Type: String
    Default: /aws/trustedadvisor
    Description: CloudWatch LogGroup name for Trusted Advisor cloudwatch events
  FirehoseDestinationArn:
    Type: String
    Default: ""
    Description: The ARN of the log destination stream aggregating the logs in the DIGIT C2 Log Aggregation Central Account
  SecLogMasterAccountId:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /org/member/SecLogMasterAccountId
    Description: "Contains account id of SecLogMaster"
  EnableSecLogIntegrationForTrustedAdvisorParam:
    Type: String
    Description: "Enable SecLog integration for Trusted Advisor?"
    Default: 'true'
    AllowedValues:
    - 'true'
    - 'false'

Conditions:
  IsSecLogMasterAccount: !Equals
    - !Ref AWS::AccountId
    - !Ref SecLogMasterAccountId

  IsSecLogMasterAccountWithSOCIntegration: !And
  - !Equals
    - !Ref AWS::AccountId
    - !Ref SecLogMasterAccountId
  - !Equals
    - !Ref EnableSecLogIntegrationForTrustedAdvisorParam
    - 'true'

Resources:
  TrustedAdvisorLogGroup:
    Type: AWS::Logs::LogGroup
    Condition: IsSecLogMasterAccount
    Properties:
      LogGroupName: !Ref TrustedAdvisorLogsGroupName
      RetentionInDays: !Ref LogsRetentionInDays

  # GuardDuty CloudWatch Event - For GuardDuty
  TrustedAdvisorEvents: 
    Type: AWS::Events::Rule
    Condition: IsSecLogMasterAccount
    Properties: 
      Name: SECLZ-TrustedAdvisor-Event
      Description: "TrustedAdvisor Event Handler"
      EventPattern: 
        source:
        - aws.trustedadvisor
      State: ENABLED
      Targets:
        -
          Arn: !GetAtt TrustedAdvisorLogGroup.Arn
          Id: "TrustedAdvisorCloudWatch-Seclog"

neisije commented 4 years ago

Implementation on the seclog and linked accounts

Creation of a new cloudformation template for trusted advisor
Creation of a new dedicated cloudwatch loggroup via CFT: proposal default value /aws/trustedadvisor
set a log destination to this loggroup to send the logs to splunk
inform C2 Splunk Team to update their lambda in the splunk account to take into account this new cloudwatch loggroup and define a new dedicated source_type for splunk
Ensure this integration is active for all regions

silavjy commented 4 years ago

Security wise, it shows the same information as the securityhub/cloud watch

It may not be worth to implement this ticket (although S2 can review the scope and value of this new feature)

digitc1 / AWSLandingZone

Trusted Advisor logs should be send to the SOC via splunk #29

Example of Cloudformation template:

Implementation on the seclog and linked accounts