AWS, Cloud Computing, Cyber Security

4 Mins Read

Configuring SIEM Using Amazon OpenSearch Service

  • By Anil Reddy
  • May 30, 2022

Voiced by Amazon Polly

1. Introduction

SIEM using Amazon OpenSearch Service (successor of SIEM using Amazon Elasticsearch Service) is an answer for collecting various types of logs from different AWS accounts, associating, and envisioning the logs to help investigate security incidents. Deployment can be easily done with the help of the AWS Cloud Formation template which is readily available.

When AWS services logs are put into a specified Amazon Simple Storage Service (Amazon S3) bucket, the AWS Lambda function which is triggered while deploying automatically loads those logs into SIEM on OpenSearch Service, making users view various visualized logs for different AWS services ln the dashboard and check multiple logs to investigate various security incidents.

2. Supported AWS Services Log Types

SIEM on OpenSearch Service can support the following log types.

Security, Identity, & Compliance:

Amazon OpenSearch Service

Management & Governance:

Amazon OpenSearch Service

Networking & Content Delivery:

Amazon OpenSearch Service

Storage:

Amazon OpenSearch Service

Database:

Amazon OpenSearch Service

Analytics:

Amazon OpenSearch Service

Compute:

Amazon OpenSearch Service

Containers:

Amazon OpenSearch Service

3. ARCHITECTURE DIAGRAM:

Amazon OpenSearch Service

4. Step by Step Guide to setup SIEM using AWS OpenSearch Service and Cloud Formation Template:

Step 1: Verify IAM user has the right access to AWS cloud formation policies:

Take necessary permissions from the administrator for AWS cloud formation policies

Step 2: Search for Cloud formation in the search bar:

Amazon OpenSearch Service

Step 3: Click on Create Stack :

  • Select the Template is ready and Template source as Amazon S3 URL then Copy the below URL and edit with the specific region where SIEM needs to create and click on next

https://aes-siem-.s3.amazonaws.com/siem-on-amazon-opensearch-service.template

Amazon OpenSearch Service

  • In stack details enter the Stack name and enter the sns email id if required
  • On configure, Stack options select the role to create a stack or leave it blank for AWS managed role creation
    Amazon OpenSearch Service
  • Click on next and review and click on Create Stack
    Amazon OpenSearch Service
    Amazon OpenSearch Service

Step 4: Check Status of Stack

The stack will be created it will take 20 minutes time wait till you get the status as created successfully

Amazon OpenSearch Service

After Stack is created Successfully click on Outputs and copy the URL, User ID, and password

Amazon OpenSearch Service

Amazon OpenSearch Service

Step 5: Search for OpenSearch Service in the search bar and click on it:

Amazon OpenSearch Service

Click on Domains in the left panel and select the domain created as your stack

Amazon OpenSearch Service

Then scroll down and select the configurations and scroll down to access policy and add your IP address and save the changes. If the IP address of your system IP or office IP address is not added Open search dashboard will not open

Amazon OpenSearch Service

Amazon OpenSearch Service

Step 6: Log in to OpenSearch Dashboard:

Open the URL of the OpenSearch dashboard on the new tab which you have collected from CloudFormation stacks output then input the ID and password

Amazon OpenSearch Service

  • Select the Global as Tenant and click on Confirm
    Amazon OpenSearch Service
  • The OpenSearch dashboard will open for SIEM
    Amazon OpenSearch Service

5. Conclusion:

In the next blog, we will see how to put the logs of different services to AWS SIEM logs S3 bucket and visualize the required Dashboards and we will know what all Resources created by this CloudFormation Template.

About CloudThat

CloudThat is the official AWS Advanced Consulting Partner, Microsoft Gold Partner, and Google Cloud Partner, helping people develop knowledge on the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Feel free to drop a comment or any queries that you have regarding Amazon OpenSearch Service, SIEM Configuration, or any consulting requirements and we will get back to you quickly. To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat’s offerings.

FAQs

1. What are the limitations of the SIEM open-source tool?

ANS: – While SIEM tools add value to a business, there are many drawbacks. The first-generation SIEM tools were expensive and lacked ready integrations and advanced intelligence capabilities. Modern cloud-based SIEM tools have overcome this drawback and handle data growth. Companies that adopt SIEM applications in highly regulated environments that handle sensitive data, need to meet compliance programs.

2. What is the full form of SIEM?

ANS: – SIEM is Security Information and Event Management. It is a system that provides real-time analysis of security alerts by applications and network hardware.

WRITTEN BY Anil Reddy

Share

Comments

  • Matt Yang

    Jul 26, 2022

    Reply

    I’m looking for a business partner for AWS Taiwan who already have packaged SIEM solution on top of Amazon OpenSearch Service.

  • Anusha Shanbhag

    Jul 26, 2022

    Reply

    Thanks for your query, Mr. Yang. CloudThat’s Business Development team will get in touch with you for this requirement.

  • Click to Comment

    Get The Most Out Of Us

    Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!