AWS Configuration Guide for Cloud SIEM

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Overview

Cloud SIEM applies detection rules to all processed logs in Datadog to detect threats, like a targeted attack, a threat intel listed IP communicating with your systems, or an insecure configuration. The threats are surfaced as Security Signals in the Security Signals Explorer for triaging.

This guide walks you through the following steps so that you can start detecting threats with your AWS CloudTrail logs:

Set up AWS integration using CloudFormation

  1. Go to Datadog’s AWS integration tile to install the integration.

  2. Click Automatically Using CloudFormation. If there is already an AWS account set up, click Add Another Account first.

  3. For Cloud SIEM, log management needs to be integrated, so select Log Management. This sets up the Datadog Lambda Forwarder to be used later for sending AWS CloudTrail logs to Datadog.

  4. Select the AWS Region where the CloudFormation stack will be launched.

  5. Select or create the Datadog API Key used to send data from your AWS account to Datadog.

  6. Click Launch CloudFormation Template. This opens the AWS Console and loads the CloudFormation stack with the parameters filled in based on your selections in the prior Datadog form.

    Note: The DatadogAppKey parameter enables the CloudFormation stack to make API calls to Datadog to add and edit the Datadog configuration for this AWS account. The key is automatically generated and tied to your Datadog account.

  7. Check the required boxes from AWS and click Create stack.

  8. After the CloudFormation stack is created, go back to the AWS integration tile in Datadog and find the box for the new account you created. Click Refresh to Check Status to see a success message at the top of the page, along with the new account visible on the page with the relevant details.

See Getting Started with AWS for more information about Datadog’s AWS integration and CloudFormation template. See AWS manual setup instructions if you need to set up the AWS integration manually.

Enable AWS CloudTrail logging

Enable AWS CloudTrail logging so that logs are sent to a S3 bucket. If you already have this setup, skip to Send AWS CloudTrail logs to Datadog.

  1. Click Create trail on the CloudTrail dashboard.
  2. Enter in the name for your trail.
  3. Create a new S3 bucket or use an existing S3 bucket to store the CloudTrail logs.
  4. Create a new AWS KMS key or use an existing AWS KMS key. Click Next.
  5. Leave the event type with the default management read and write events, or choose additional event types you want to send to Datadog. Click Next.
  6. Review and click Create trail.

Send AWS CloudTrail logs to Datadog

Set up a trigger on your Datadog Forwarder Lambda function to send CloudTrail logs stored in the S3 bucket to Datadog for monitoring.

  1. Go to the Datadog Forwarder Lambda that was created during the AWS integration set up.
  2. Click Add trigger.
  3. Select S3 for the trigger.
  4. Select the S3 bucket you are using to collect AWS CloudTrail logs.
  5. For Event type, select All object create events.
  6. Click Add.
  7. See CloudTrail logs in Datadog’s Log Explorer.

See Log Explorer for more information on how to search and filter, group, and visualize your logs.

Use Cloud SIEM to triage Security Signals

Cloud SIEM applies out of the box detection rules to all processed logs, including the CloudTrail logs you have just set up. When a threat is detected with a Detection Rule, a Security Signal is generated and can be viewed in the Security Signals Explorer.

Since Cloud SIEM applies detection rules to all processed logs, see the in-app instructions on how to collect Kubernetes audit logs and logs from other sources for threat detection. You can also enable different AWS services to log to a S3 bucket and send them to Datadog for threat monitoring.

Further reading