VPC and Cloud trail logs for SIEM


The customer is capturing VPC and Cloud trail logs to their SIEM
The challenge: VPC flow log and cloud trail volume is huge and loading them "as is" SIEM will have lot of data with low value . The customer wants to filter VPC and Cloud trail from based on NIST standard.

Do you know what data should the customer should filter from VPC flow log and cloud trail to meet NIST standards

1 Answer
Accepted Answer

NIST alignment with logs is all about giving clarity and point blank info about the events. As you have mentioned, the volume of VPC flowlogs and cloud trail are huge for a SIEM system to consume. This dilutes the info and increases the cost of SIEM. In most cases (I assume same here) customers read data from the S3 buckets or cloudwatch via API which is huge and time consuming.

A suggestion here is to filter and upload only the significant events to SIEM. Can be a lambda which runs periodically and uploads the small delta to SIEM or colud also be athena that reads the VPC logs and exports the precise findings to SIEM for analysis.

Example filters for VPC flowlogs: REJECT logs Repeated repeated logs filter vulnerable port traffic

Example filters for CloudTrail Filter critical events like. SPOT fleet creation, user creation, resource creation in an unused region, key rotations etc.

Hope this helps.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions