Skip to main content

Pushing logs to the SOC team

Cloud Platform logs from various sources are being pushed to the SOC team’s security monitoring solution Palo Alto Cortex XSIAM.

We are currently pushing the following logs:

  1. Cloudtrail logs
  2. live-1 VPC FlowLogs

We are planning to push the following logs in the coming sprints. Epic found here.

  1. Route 53 logs
  2. EKS logs

1. Cloudtrail logs

Architecture

We have followed Palo Alto’s documentation on implementation to allow Cortex XSIAM to injest logs from Cloudtrail.

Cloudtrail logs are written to a S3 bucket. The implementation consist of enabling the S3 bucket to trigger event notifications to an SQS queue. An IAM user with access keys has been created to grant Cortex XSIAM to access the SQS queue and recieves these messages. Cortex XSIAM then uses the references in these messages to retrieve the logs from the S3 bucket. The terraform code for this implementation is found in the cloud-platform-terraform-infrastructure repository.

2. live-1 VPC FlowLogs

Architecture

We have followed Palo Alto’s documentation on implementation to allow Cortex XSIAM to injest VPC flowlogs from S3.

This implementation follows the same architectural pattern as pushing CloudTrail logs above. VPC flowlogs are written to a S3 bucket and triggers event notifications to an SQS queue. Cortex XSIAM then uses the references in these messages to retrieve the logs from the S3 bucket. The same IAM user access keys are used here. The terraform code for this implementation is found in the cloud-platform-terraform-infrastructure repository.

3. Route53 logs

Architecture

We have followed Palo Alto’s documentation on implementation to allow Cortex XSIAM to injest Route53 from S3.

Since Route53 Resolver query logging is VPC bound, we are calling the Route53 logs module at the VPC layer within infrastructure and referencing the S3 bucket for the related SQS resources in the same way we do so for VPC FlowLogs, in the cloud-platform-terraform-infrastructure repository.

4. EKS logs

To be implemented

Todo

IAM User access keys rotation

We need put in a mechanism to periodically rotate the IAM User access keys created for Cortex XSIAM to recieve the logs. Suggestion and issue for this has been raised.

This page was last reviewed on 10 July 2024. It needs to be reviewed again on 10 January 2025 by the page owner #cloud-platform .
This page was set to be reviewed before 10 January 2025 by the page owner #cloud-platform. This might mean the content is out of date.