AWS, Cloud Computing, Cyber Security

4 Mins Read

Configuring SIEM Using Amazon OpenSearch Service

Voiced by Amazon Polly

1. Introduction

SIEM using Amazon OpenSearch Service (successor of SIEM using Amazon Elasticsearch Service) is an answer for collecting various types of logs from different AWS accounts, associating, and envisioning the logs to help investigate security incidents. Deployment can be easily done with the help of the AWS Cloud Formation template which is readily available.

When AWS services logs are put into a specified Amazon Simple Storage Service (Amazon S3) bucket, the AWS Lambda function which is triggered while deploying automatically loads those logs into SIEM on OpenSearch Service, making users view various visualized logs for different AWS services ln the dashboard and check multiple logs to investigate various security incidents.

Freedom Month Sale — Upgrade Your Skills, Save Big!

  • Up to 80% OFF AWS Courses
  • Up to 30% OFF Microsoft Certs
Act Fast!

2. Supported AWS Services Log Types

SIEM on OpenSearch Service can support the following log types.

Security, Identity, & Compliance:

Amazon OpenSearch Service

Management & Governance:

Amazon OpenSearch Service

Networking & Content Delivery:

Amazon OpenSearch Service

Storage:

Amazon OpenSearch Service

Database:

Amazon OpenSearch Service

Analytics:

Amazon OpenSearch Service

Compute:

Amazon OpenSearch Service

Containers:

Amazon OpenSearch Service

3. ARCHITECTURE DIAGRAM:

Amazon OpenSearch Service

4. Step by Step Guide to setup SIEM using AWS OpenSearch Service and Cloud Formation Template:

Step 1: Verify IAM user has the right access to AWS cloud formation policies:

Take necessary permissions from the administrator for AWS cloud formation policies

Step 2: Search for Cloud formation in the search bar:

Amazon OpenSearch Service

Step 3: Click on Create Stack :

  • Select the Template is ready and Template source as Amazon S3 URL then Copy the below URL and edit with the specific region where SIEM needs to create and click on next

https://aes-siem-.s3.amazonaws.com/siem-on-amazon-opensearch-service.template

Amazon OpenSearch Service

  • In stack details enter the Stack name and enter the sns email id if required
  • On configure, Stack options select the role to create a stack or leave it blank for AWS managed role creation
    Amazon OpenSearch Service
  • Click on next and review and click on Create Stack
    Amazon OpenSearch Service
    Amazon OpenSearch Service

Step 4: Check Status of Stack

The stack will be created it will take 20 minutes time wait till you get the status as created successfully

Amazon OpenSearch Service

After Stack is created Successfully click on Outputs and copy the URL, User ID, and password

Amazon OpenSearch Service

Amazon OpenSearch Service

Step 5: Search for OpenSearch Service in the search bar and click on it:

Amazon OpenSearch Service

Click on Domains in the left panel and select the domain created as your stack

Amazon OpenSearch Service

Then scroll down and select the configurations and scroll down to access policy and add your IP address and save the changes. If the IP address of your system IP or office IP address is not added Open search dashboard will not open

Amazon OpenSearch Service

Amazon OpenSearch Service

Step 6: Log in to OpenSearch Dashboard:

Open the URL of the OpenSearch dashboard on the new tab which you have collected from CloudFormation stacks output then input the ID and password

Amazon OpenSearch Service

  • Select the Global as Tenant and click on Confirm
    Amazon OpenSearch Service
  • The OpenSearch dashboard will open for SIEM
    Amazon OpenSearch Service

5. Conclusion:

In the next blog, we will see how to put the logs of different services to AWS SIEM logs S3 bucket and visualize the required Dashboards and we will know what all Resources created by this CloudFormation Template.

Freedom Month Sale — Discounts That Set You Free!

  • Up to 80% OFF AWS Courses
  • Up to 30% OFF Microsoft Certs
Act Fast!

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. What are the limitations of the SIEM open-source tool?

ANS: – While SIEM tools add value to a business, there are many drawbacks. The first-generation SIEM tools were expensive and lacked ready integrations and advanced intelligence capabilities. Modern cloud-based SIEM tools have overcome this drawback and handle data growth. Companies that adopt SIEM applications in highly regulated environments that handle sensitive data, need to meet compliance programs.

2. What is the full form of SIEM?

ANS: – SIEM is Security Information and Event Management. It is a system that provides real-time analysis of security alerts by applications and network hardware.

WRITTEN BY Anil Reddy

Share

Comments

  1. Matt Yang

    Jul 26, 2022

    Reply

    I’m looking for a business partner for AWS Taiwan who already have packaged SIEM solution on top of Amazon OpenSearch Service.

    • Anusha Shanbhag

      Jul 26, 2022

      Reply

      Thanks for your query, Mr. Yang. CloudThat’s Business Development team will get in touch with you for this requirement.

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!