The Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM) capabilities for Amazon Web Services (AWS) require the ingestion of AWS logs using the Security Operations console ingestion pipeline. The AWS log types required for ingestion differ based on what you are configuring:
- CIEM requires data from the AWS CloudTrail log type.
- Curated detections require data from multiple AWS log types.
To learn more about the different AWS log types, see Supported devices and log types.
Configure AWS log ingestion for CIEM
To generate findings for your AWS environment, the Cloud Infrastructure Entitlement Management (CIEM) capabilities require data from AWS CloudTrail logs.
To use CIEM, do the following when configuring AWS log ingestion.
When setting up your AWS CloudTrail, complete the following configuration steps:
Create one of the following:
- An organization-level trail that pulls log data from across all AWS accounts.
An account-level trail that pulls log data from select AWS accounts.
Set the Amazon S3 bucket or Amazon SQS queue you choose for CIEM to log management events from all regions.
When setting up a feed to ingest AWS logs in the Security Operations console, complete the following configuration steps:
- Create a feed that ingests all account logs from the Amazon S3 bucket or Amazon SQS queue for all regions.
Set the feed Ingestion labels key-value pair based on the feed source type, using one of the following options:
If the Source type is Amazon S3, configure one of the following:
- To extract data every 15 minutes, set the Label to
CIEMand the Value toTRUE. You can reuse this feed for other Security Command Center services where a 15-minute data latency is acceptable. - To extract data every 12 hours, set the Label to
CIEM_EXCLUSIVEand the Value toTRUE. This option works for CIEM and other potential Security Command Center services where a 24-hour data latency is acceptable.
- To extract data every 15 minutes, set the Label to
If the Source type is Amazon SQS, set the Label to
CIEMand the Value toTRUE.
If you don't configure log ingestion correctly, the CIEM
detection service might display incorrect findings. In addition, if there are
issues with your CloudTrail configuration, Security Command Center displays the
CIEM AWS CloudTrail configuration error.
To configure log ingestion, see Ingest AWS logs into Google Security Operations in the Google SecOps documentation.
For full instructions on enabling CIEM, see Enable the CIEM detection service for AWS. For more information about CIEM features, see Overview of Cloud Infrastructure Entitlement Management.
Configure AWS log ingestion for curated detections
Curated detections available with Security Command Center Enterprise help identify threats in AWS environments using both event and context data.
Each AWS rule set requires certain data to function as designed, including one or more of the following sources:
- AWS CloudTrail
- AWS GuardDuty
- AWS context data about hosts, services, and VPCs.
- AWS Identity and Access Management
To use these curated detections, you must ingest AWS log data to the Google SecOps tenant, and then enable the curated detection rules.
For more information, see the following in the Google SecOps documentation:
Supported devices and log types for AWS: information about data required by the AWS rule sets.
Ingest AWS logs into Google Security Operations: steps to collect AWS CloudTrail logs.
Curated detections for AWS data: summary of the AWS rule sets in the Cloud Threats curated detections.
Use curated detections to identify threats: how to use curated detections in Google SecOps.
See Google Cloud service tiers for information about the type of log data that customers with Security Command Center Enterprise can ingest to the Google SecOps tenant.