Voiced by Amazon Polly |
1. Introduction
SIEM using Amazon OpenSearch Service (successor of SIEM using Amazon Elasticsearch Service) is an answer for collecting various types of logs from different AWS accounts, associating, and envisioning the logs to help investigate security incidents. Deployment can be easily done with the help of the AWS Cloud Formation template which is readily available.
When AWS services logs are put into a specified Amazon Simple Storage Service (Amazon S3) bucket, the AWS Lambda function which is triggered while deploying automatically loads those logs into SIEM on OpenSearch Service, making users view various visualized logs for different AWS services ln the dashboard and check multiple logs to investigate various security incidents.
Freedom Month Sale — Upgrade Your Skills, Save Big!
- Up to 80% OFF AWS Courses
- Up to 30% OFF Microsoft Certs
2. Supported AWS Services Log Types
SIEM on OpenSearch Service can support the following log types.
Security, Identity, & Compliance:
Management & Governance:
Networking & Content Delivery:
Storage:
Database:
Analytics:
Compute:
Containers:
4. Step by Step Guide to setup SIEM using AWS OpenSearch Service and Cloud Formation Template:
Step 1: Verify IAM user has the right access to AWS cloud formation policies:
Take necessary permissions from the administrator for AWS cloud formation policies
Step 2: Search for Cloud formation in the search bar:
Step 3: Click on Create Stack :
- Select the Template is ready and Template source as Amazon S3 URL then Copy the below URL and edit with the specific region where SIEM needs to create and click on next
https://aes-siem-.s3.amazonaws.com/siem-on-amazon-opensearch-service.template
- In stack details enter the Stack name and enter the sns email id if required
- On configure, Stack options select the role to create a stack or leave it blank for AWS managed role creation
- Click on next and review and click on Create Stack
Step 4: Check Status of Stack
The stack will be created it will take 20 minutes time wait till you get the status as created successfully
After Stack is created Successfully click on Outputs and copy the URL, User ID, and password
Step 5: Search for OpenSearch Service in the search bar and click on it:
Click on Domains in the left panel and select the domain created as your stack
Then scroll down and select the configurations and scroll down to access policy and add your IP address and save the changes. If the IP address of your system IP or office IP address is not added Open search dashboard will not open
- To check the IP address of your system click on this URL https://checkip.amazonaws.com/
Step 6: Log in to OpenSearch Dashboard:
Open the URL of the OpenSearch dashboard on the new tab which you have collected from CloudFormation stacks output then input the ID and password
5. Conclusion:
In the next blog, we will see how to put the logs of different services to AWS SIEM logs S3 bucket and visualize the required Dashboards and we will know what all Resources created by this CloudFormation Template.
Freedom Month Sale — Discounts That Set You Free!
- Up to 80% OFF AWS Courses
- Up to 30% OFF Microsoft Certs
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. What are the limitations of the SIEM open-source tool?
ANS: – While SIEM tools add value to a business, there are many drawbacks. The first-generation SIEM tools were expensive and lacked ready integrations and advanced intelligence capabilities. Modern cloud-based SIEM tools have overcome this drawback and handle data growth. Companies that adopt SIEM applications in highly regulated environments that handle sensitive data, need to meet compliance programs.
2. What is the full form of SIEM?
ANS: – SIEM is Security Information and Event Management. It is a system that provides real-time analysis of security alerts by applications and network hardware.
WRITTEN BY Anil Reddy
Matt Yang
Jul 26, 2022
I’m looking for a business partner for AWS Taiwan who already have packaged SIEM solution on top of Amazon OpenSearch Service.
Anusha Shanbhag
Jul 26, 2022
Thanks for your query, Mr. Yang. CloudThat’s Business Development team will get in touch with you for this requirement.