Voiced by Amazon Polly
SIEM using Amazon OpenSearch Service (successor of SIEM using Amazon Elasticsearch Service) is an answer for collecting various types of logs from different AWS accounts, associating, and envisioning the logs to help investigate security incidents. Deployment can be easily done with the help of the AWS Cloud Formation template which is readily available.
When AWS services logs are put into a specified Amazon Simple Storage Service (Amazon S3) bucket, the AWS Lambda function which is triggered while deploying automatically loads those logs into SIEM on OpenSearch Service, making users view various visualized logs for different AWS services ln the dashboard and check multiple logs to investigate various security incidents.
2. Supported AWS Services Log Types
SIEM on OpenSearch Service can support the following log types.
Security, Identity, & Compliance:
Management & Governance:
Networking & Content Delivery:
4. Step by Step Guide to setup SIEM using AWS OpenSearch Service and Cloud Formation Template:
Step 1: Verify IAM user has the right access to AWS cloud formation policies:
Take necessary permissions from the administrator for AWS cloud formation policies
Step 2: Search for Cloud formation in the search bar:
Step 3: Click on Create Stack :
- Select the Template is ready and Template source as Amazon S3 URL then Copy the below URL and edit with the specific region where SIEM needs to create and click on next
- In stack details enter the Stack name and enter the sns email id if required
- On configure, Stack options select the role to create a stack or leave it blank for AWS managed role creation
- Click on next and review and click on Create Stack
Step 4: Check Status of Stack
The stack will be created it will take 20 minutes time wait till you get the status as created successfully
After Stack is created Successfully click on Outputs and copy the URL, User ID, and password
Step 5: Search for OpenSearch Service in the search bar and click on it:
Click on Domains in the left panel and select the domain created as your stack
Then scroll down and select the configurations and scroll down to access policy and add your IP address and save the changes. If the IP address of your system IP or office IP address is not added Open search dashboard will not open
- To check the IP address of your system click on this URL https://checkip.amazonaws.com/
Step 6: Log in to OpenSearch Dashboard:
Open the URL of the OpenSearch dashboard on the new tab which you have collected from CloudFormation stacks output then input the ID and password
In the next blog, we will see how to put the logs of different services to AWS SIEM logs S3 bucket and visualize the required Dashboards and we will know what all Resources created by this CloudFormation Template.
CloudThat is the official AWS Advanced Consulting Partner, Microsoft Gold Partner, and Google Cloud Partner, helping people develop knowledge on the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
Feel free to drop a comment or any queries that you have regarding Amazon OpenSearch Service, SIEM Configuration, or any consulting requirements and we will get back to you quickly. To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat’s offerings.
1. What are the limitations of the SIEM open-source tool?
ANS: – While SIEM tools add value to a business, there are many drawbacks. The first-generation SIEM tools were expensive and lacked ready integrations and advanced intelligence capabilities. Modern cloud-based SIEM tools have overcome this drawback and handle data growth. Companies that adopt SIEM applications in highly regulated environments that handle sensitive data, need to meet compliance programs.
2. What is the full form of SIEM?
ANS: – SIEM is Security Information and Event Management. It is a system that provides real-time analysis of security alerts by applications and network hardware.
WRITTEN BY Anil Reddy