VPC and Cloud trail logs for SIEM
The customer is capturing VPC and Cloud trail logs to their SIEM
The challenge: VPC flow log and cloud trail volume is huge and loading them "as is" SIEM will have lot of data with low value . The customer wants to filter VPC and Cloud trail from based on NIST standard.
Do you know what data should the customer should filter from VPC flow log and cloud trail to meet NIST standards
- 新しい順
- 投票が多い順
- コメントが多い順
NIST alignment with logs is all about giving clarity and point blank info about the events. As you have mentioned, the volume of VPC flowlogs and cloud trail are huge for a SIEM system to consume. This dilutes the info and increases the cost of SIEM. In most cases (I assume same here) customers read data from the S3 buckets or cloudwatch via API which is huge and time consuming.
A suggestion here is to filter and upload only the significant events to SIEM. Can be a lambda which runs periodically and uploads the small delta to SIEM or colud also be athena that reads the VPC logs and exports the precise findings to SIEM for analysis.
Example filters for VPC flowlogs: REJECT logs Repeated repeated logs filter vulnerable port traffic
Example filters for CloudTrail Filter critical events like. SPOT fleet creation, user creation, resource creation in an unused region, key rotations etc.
Hope this helps.
関連するコンテンツ
- 質問済み 3ヶ月前
AWS公式更新しました 2年前
