How to find and establish false positives in Cloudwatch data protection policies?

0

I've created a cloudwatch data protection policy pointed at a cloudwatch log group, and configured it to write audit findings to another cloudwatch log group. Audit findings suggest names and email addresses are being detected.

However, it's virtually impossible to line the findings up to the associated cloudwatch entries that might have email or name, because the findings only include the name of log group and a set of start and end indexes. It does not include a pointer to the event or the specific log stream, of which there are hundreds in the time frame given, so knowing where to start counting for the indexes isn't possible.

Given these limitations, what is the suggested approach to finding the offending log entries?

{
    "auditTimestamp": "2023-08-21T15:14:33Z",
    "resourceArn": "arn:aws:logs:some-region:12345:log-group:/aws/lambda/some-lambda:*",
    "dataIdentifiers": [
        {
            "name": "EmailAddress",
            "count": 1,
            "detections": [
                {
                    "start": 31,
                    "end": 92
                }
            ]
        }
    ],
    "policyName": "data-protection-policy"
}
asked a year ago382 views
2 Answers
0

Hi,

I understand you have created a cloudwatch data protection policy pointed at a cloudwatch log group, and configured it to write audit findings to another cloudwatch log group and would like to know how to find the corresponding log (audit) in the actual log group.

The following can be achieved by using CloudWatch insights [1], specifically filtering using email address along with the groupby time, @logstream, ingestion time (original log group) and the timestamp(audit log group) [2].

Sample for original log group:

fields @timestamp, @message, unmask(@message), @logstream | sort @timestamp desc | limit 20

It was noted that the audit log wont show the email which triggered the protection data but by looking at the @ingestionTime from the above query result, it can be compared against the auditTimestamp which should match.

I am positive this helps. Let me know if I answered your question by up voting my response or if you have any follow-up.

Kind regards, Muhammad

References: [1] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html [2] https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_QuerySyntax.html [3] https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html

AWS
answered a year ago
0

In practice, this query seems to work to do the above process. It requires manually changing timestamp values since cloudwatch insights doesnt seem to support converting or linking across log groups.

# 1) find auditTimestamp in data protection logs
# 2) convert audittime stamp manually, you can do this in Node via +new Date(<insert auditTimestamp here>)
# 3) change the timestamp value below to the audit log timestamp value from step 2
fields @ingestionTime, @timestamp, @message, unmask(@message), @logstream, tomillis(@ingestionTime) as injestmillis
| filter injestmillis > 1695665857000 - 1000
     and injestmillis < 1695665857000 + 1000
| sort @timestamp desc 
| limit 20
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions