From a32222968b2da86ab3c973b56156240afa20fc3f Mon Sep 17 00:00:00 2001
From: Ky <ky.truong@digital.justice.gov.uk>
Date: Tue, 18 Jun 2024 17:10:20 +0100
Subject: [PATCH 1/2] :memo: adding runbook for pushing logs to SOC Cortex
 XSIAM

---
 .../logs-to-soc-cortex-xsiam.html.md.erb      | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb

diff --git a/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb b/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb
new file mode 100644
index 00000000..21c9ec84
--- /dev/null
+++ b/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb
@@ -0,0 +1,41 @@
+---
+title: Logs going to SOC Palo Alto Cortex Xsiam
+weight: 9100
+last_reviewed_on: 2024-06-18
+review_in: 6 months
+---
+
+# Pushing logs to the SOC team
+Cloud Platform logs from various sources are being pushed to the SOC team's security monitoring solution `Palo Alto Cortex XSIAM`.
+
+We are currently pushing the following logs:
+
+1. Cloudtrail logs
+
+We are planning to push the following logs in the coming sprints. [Epic found here].
+
+2. `live-1` VPC FlowLogs
+3. Route 53 logs
+4. EKS logs
+
+## 1. Cloudtrail logs
+### Architecture
+We have followed Palo Alto's documentation on implementation to allow [Cortex XSIAM to injest logs from Cloudtrail]. 
+
+Cloudtrail logs are written to a S3 bucket. The implementation consist of enabling the S3 bucket to trigger event notifications to an SQS queue. An IAM user with access keys has been created to grant Cortex XSIAM to accesse the SQS queue and recieves all the log messages. The terraform code for this implementation is found in the [cloud-platform-terraform-infrastructure] repository.
+
+### IAM User access keys rotation
+We need put in a mechanism to periodically rotate the IAM User access keys created for Cortex XSIAM to recieve the logs. [Suggestion and issue] for this has been raised.
+
+## 2. VPC FlowLogs
+To be implemented
+## 3. Route53 logs
+To be implemented
+## 4. EKS logs
+To be implemented
+
+
+[Cortex XSIAM to injest logs from Cloudtrail]: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Audit-Logs-from-AWS-Cloud-Trail
+[Epic found here]: https://github.com/ministryofjustice/cloud-platform/milestone/35
+[cloud-platform-terraform-infrastructure]: https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/sqs.tf
+[Suggestion and issue]: https://github.com/ministryofjustice/cloud-platform/issues/5724

From 376edf67a12b4ef8c5d9418ff2b280c9ff003941 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 18 Jun 2024 16:13:14 +0000
Subject: [PATCH 2/2] Commit changes made by code formatters

---
 runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb b/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb
index 21c9ec84..e6e5b9ab 100644
--- a/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb
+++ b/runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb
@@ -20,7 +20,7 @@ We are planning to push the following logs in the coming sprints. [Epic found he
 
 ## 1. Cloudtrail logs
 ### Architecture
-We have followed Palo Alto's documentation on implementation to allow [Cortex XSIAM to injest logs from Cloudtrail]. 
+We have followed Palo Alto's documentation on implementation to allow [Cortex XSIAM to injest logs from Cloudtrail].
 
 Cloudtrail logs are written to a S3 bucket. The implementation consist of enabling the S3 bucket to trigger event notifications to an SQS queue. An IAM user with access keys has been created to grant Cortex XSIAM to accesse the SQS queue and recieves all the log messages. The terraform code for this implementation is found in the [cloud-platform-terraform-infrastructure] repository.
 
@@ -34,7 +34,6 @@ To be implemented
 ## 4. EKS logs
 To be implemented
 
-
 [Cortex XSIAM to injest logs from Cloudtrail]: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Audit-Logs-from-AWS-Cloud-Trail
 [Epic found here]: https://github.com/ministryofjustice/cloud-platform/milestone/35
 [cloud-platform-terraform-infrastructure]: https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/sqs.tf