Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

📝 adding runbook for pushing logs to SOC Cortex XSIAM #5738

Merged
merged 2 commits into from
Jun 18, 2024
Merged

📝 adding runbook for pushing logs to SOC Cortex XSIAM #5738

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a322229
:memo: adding runbook for pushing logs to SOC Cortex XSIAM
kyphutruong Jun 18, 2024
376edf6
Commit changes made by code formatters
github-actions[bot] Jun 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions runbooks/source/logs-to-soc-cortex-xsiam.html.md.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
title: Logs going to SOC Palo Alto Cortex Xsiam
weight: 9100
last_reviewed_on: 2024-06-18
review_in: 6 months
---

# Pushing logs to the SOC team
Cloud Platform logs from various sources are being pushed to the SOC team's security monitoring solution `Palo Alto Cortex XSIAM`.

We are currently pushing the following logs:

1. Cloudtrail logs

We are planning to push the following logs in the coming sprints. [Epic found here].

2. `live-1` VPC FlowLogs
3. Route 53 logs
4. EKS logs

## 1. Cloudtrail logs
### Architecture
We have followed Palo Alto's documentation on implementation to allow [Cortex XSIAM to injest logs from Cloudtrail].

Cloudtrail logs are written to a S3 bucket. The implementation consist of enabling the S3 bucket to trigger event notifications to an SQS queue. An IAM user with access keys has been created to grant Cortex XSIAM to accesse the SQS queue and recieves all the log messages. The terraform code for this implementation is found in the [cloud-platform-terraform-infrastructure] repository.

### IAM User access keys rotation
We need put in a mechanism to periodically rotate the IAM User access keys created for Cortex XSIAM to recieve the logs. [Suggestion and issue] for this has been raised.

## 2. VPC FlowLogs
To be implemented
## 3. Route53 logs
To be implemented
## 4. EKS logs
To be implemented

[Cortex XSIAM to injest logs from Cloudtrail]: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Ingest-Audit-Logs-from-AWS-Cloud-Trail
[Epic found here]: https://github.com/ministryofjustice/cloud-platform/milestone/35
[cloud-platform-terraform-infrastructure]: https://github.com/ministryofjustice/cloud-platform-infrastructure/blob/main/terraform/aws-accounts/cloud-platform-aws/account/sqs.tf
[Suggestion and issue]: https://github.com/ministryofjustice/cloud-platform/issues/5724