Monitoring Amazon Web services with IBM Qradar SIEM

As a part of the never-ending landscape of technology and the popularity that cloud based computing is gaining, we can say it is here to stay indefinitely.
 

With this in our mind, we need to develop the knowledge, tools to be able to understand the auditing and security monitoring options of cloudbased technologies like Softlayer, Amazon, Azure and Google.  

What does it mean to monitor AWS logs, instead of me explaining just use those links which are way better.

Amazon CloudWatch logs – LInk
AWS CloudTrail –LInk
How to configure AWS on our IBM Qradar –LInk

I was looking for best practices to monitor AWS service-using cloud trail, there is no “Best practices” more like tips and some guidelines. 

OSSEC Wazuh – LInk
Amazon Official – LInk 1 , LInk 2

This is mine basic guidelines to “I want to monitor” my AWS logs using cloudtrail and Qradar.
Feel free to post your comments or add anything by mailing requests to info[@]qmasters.co.
Please notice that Qradar does not apply known Authentication Rules to AWS as their categories are not related to the correct Low-level categories.

Add new custom properties

Account name – Which will hold the name of the effected user

\”userName\”.+\”userName\”\:\”([^\”\}]+) 
Action – login success and fail events – \”ConsoleLogin\”\:\”([^\”]+)

Group Account Name – General – userName.+userName\”\:\”([^\s”]+)

Group Account name – Misc Authorization low level Category – groupId\”\:\”([^\s”]+)

Group Name – Group Changed low level Category –  newGroupName\”\:\”([^\”]+)

Group Name – General – groupName\”\:\”([^\s”]+)           

Policy –General – policyArn\”\:\”([^\”]+) 

Region –General- awsRegion\”\:\”([^\”]+)

Role –General- \”roleName\”\:\”([^\”]+)    

Message–Update Activity Attempted- ipPermissions\”\:\{(.+?)\]\}\,

Message–Misc Authorization- ipPermissions\”\:\{(.+?)\]\}\,

Scope–General- cidrIp\”\:\”([^\”]+)                   

User Agent –General- \”userAgent\”\:\”([^\”]+)   

After We have our new fresh custom properties we can go forward with using Qradar Awesome work of categorizing every incoming event for our ease of use.

Search and Use for Dashboard:

Success logon – Group by username and Source Ip
Log Source Type Equals to Amazon AWS CloudTrail
QID is 88750854
Low level Category is General Audit Event
Action equals to Success

Failed logon Group by username and Source Ip
Log Source Type Equals to Amazon AWS CloudTrail
Low level Category is General Audit Event
Action equals to Failure

Assign \ Remove Roles

Log Source Type Equals to Amazon AWS CloudTrail
Low level Category Equals to any of User right assigned or User right removed
 

Group Changes Audit 

Add both Group Account Name and Group name (custom properties)
Log Source Type Equals to Amazon AWS CloudTrail
Low level Category Equals to any of Group added or Grouped changed or group member removed or group member added


Policy Audit Change

Log Source Type Equals to Amazon AWS CloudTrail
Use this QID to monitor policy changes –
88750869,88750860,88750868,88750289,88750904,88750685,88750875
 

Security Group Ingress

Log Source Type Equals to Amazon AWS CloudTrail
Low level Category is Update Activity Attempted ,Misc Authorization

QID is 88750751,88750001

User Account Created

Log Source Type Equals to Amazon AWS CloudTrail
Low level Category is User Account Added

Amazon General Audit events – Better use a reference list here with QID’s  

Log Source Type Equals to Amazon AWS CloudTrail
Reference list with related QID’s  –

88750001

88750003

88750037

88750077

88750119

88750126

88750167

88750176

88750178

88750100

88750225

88750271

88750273

88750274

88750281

88750289

88750200

88750309

88750323

88750300

88750649

88750650

88750698

88750707

88750710

88750751

88750823

88750861

88750868

88750860