Push Route53 logs to Cortex - Githubissues

ministryofjustice / cloud-platform

Documentation on the MoJ cloud platform

MIT License

87 stars 44 forks source link

Push Route53 logs to Cortex #5610

Closed davidkelliott closed 4 months ago

davidkelliott commented 6 months ago

Background

The SOC (Security Operations Center) are collating logs around the MoJ into a security tool by Palo Alto called Cortex XIAM https://www.paloaltonetworks.com/cortex/cortex-xsiam

By pushing our logs to SOC they will actively monitor and raise potential threats with us

Approach

Work with Leonardo Marini to integrate with Cortex. Modernisation Platform has done this already so there may be some reusable code - https://github.com/ministryofjustice/modernisation-platform/blob/main/terraform/environments/core-vpc/firehose.tf

Route53: Ingest Network Route 53 Logs from Amazon S3

Which part of the user docs does this impact

Security monitoring

Communicate changes

No communication changes needed

[ ] post for #cloud-platform-update
[ ] Weeknotes item
[ ] Show the Thing/P&A All Hands/User CoP
[ ] Announcements channel

Questions / Assumptions

Definition of done

[ ] CP Route53 logs integrated
[ ] readme has been updated
[ ] user docs have been updated
[ ] another team member has reviewed
[ ] smoke tests are green
[ ] prepare demo for the team

Reference

How to write good user stories

sj-williams commented 4 months ago

Based on docs, required steps are as follows:

S3 Bucket for receiving Route53 log
SQS and perms set up
Route53 Resolver with query logging config: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config

sj-williams commented 4 months ago

Confirmed with Leonardo that Route53 logs are being ingested in Cortex.