Cortex: EKS Logs / Daemonset installation

[davidkelliott]

Background

The SOC (Security Operations Center) are collating logs around the MoJ into a security tool by Palo Alto called Cortex XIAM https://www.paloaltonetworks.com/cortex/cortex-xsiam

By pushing our logs to SOC they will actively monitor and raise potential threats with us

Approach

Work with Leonardo Marini to integrate with Cortex.

There is an agent which can be installed - Install the Cortex XDR Agent for Kubernetes Hosts

However, this is potentially a considerable change to our critical system components and cluster administration. It might be preferable if we could ship exisiting logs from their current location(s) and push them to Cortex in a similar manner to how we are shipping VPC flowlogs, R53 etc.

1) Test installation of XDR agent on test cluster using Palo Alto deployment charts 2) Verify permissions / level of access required 3) Verify what data is collected by this daemonset. EC2? K8s logs? Both? 4) Write up any questions / concerns to further discuss with SOC team.

Which part of the user docs does this impact

Security monitoring

Communicate changes

No communication changes needed

• [ ] post for #cloud-platform-update
• [ ] Weeknotes item
• [ ] Show the Thing/P&A All Hands/User CoP
• [ ] Announcements channel

Questions / Assumptions

Definition of done

• [ ] Testing of XDR daemonset complete
• [ ] Any additional queries with SOC answered
• [ ] CP EKS logs integrated
• [ ] readme has been updated
• [ ] user docs have been updated
• [ ] another team member has reviewed
• [ ] smoke tests are green
• [ ] prepare demo for the team

Reference

How to write good user stories

[sj-williams]

DONE:

• tested deployment using Cortex console generated yaml manifest
• Checked in with leonardo that agents are calling home - success
• Figured out how to tag daemonset via values
• Asked for readonly access to preprod Cortex tenant (have email for IDAM team)

TO DOS:

• [x] - Configure Gatekeeper for XDR capabilities https://github.com/ministryofjustice/cloud-platform-terraform-gatekeeper/compare/cortex-xdr?expand=1

• [x] - Create Helm chart / module https://github.com/ministryofjustice/cloud-platform-terraform-cortex-xdr

• [x] - Review all capabilities that are required - does the deployment need them all just to run? These are static configurations within the helm chart, all required to run an agent: https://github.com/PaloAltoNetworks/cortex-helm/blob/master/charts/cortex-agent/templates/daemonset.yaml#L69

• [ ] - Review resource usage

• [x] - Where would this live within cluster infra? Dependencies etc -For the timebeing deployment is setup to run out of components layer - we have two input values that we cant have in source control so we're using the existing mechanism we have for other components here.

• [ ] - simulate a detection? eicar test? Not possible at this time with the current policy setup on the tenant side. We can ask again if SOC is willing to test different policies and let us execute some tests.

[sj-williams]

Testing infra branch for deployment https://github.com/ministryofjustice/cloud-platform-infrastructure/compare/cortex-xdr?expand=1