Configuring SIEM Using Amazon OpenSearch Service

1. Introduction

SIEM using Amazon OpenSearch Service (successor of SIEM using Amazon Elasticsearch Service) is an answer for collecting various types of logs from different AWS accounts, associating, and envisioning the logs to help investigate security incidents. Deployment can be easily done with the help of the AWS Cloud Formation template which is readily available.

When AWS services logs are put into a specified Amazon Simple Storage Service (Amazon S3) bucket, the AWS Lambda function which is triggered while deploying automatically loads those logs into SIEM on OpenSearch Service, making users view various visualized logs for different AWS services ln the dashboard and check multiple logs to investigate various security incidents.

2. Supported AWS Services Log Types

SIEM on OpenSearch Service can support the following log types.

Security, Identity, & Compliance:

Management & Governance:

Networking & Content Delivery:

Storage:

Database:

Analytics:

Compute:

Containers:

3. ARCHITECTURE DIAGRAM:

4. Step by Step Guide to setup SIEM using AWS OpenSearch Service and Cloud Formation Template:

Step 1: Verify IAM user has the right access to AWS cloud formation policies:

Take necessary permissions from the administrator for AWS cloud formation policies

Step 2: Search for Cloud formation in the search bar:

Step 3: Click on Create Stack :

• Select the Template is ready and Template source as Amazon S3 URL then Copy the below URL and edit with the specific region where SIEM needs to create and click on next

https://aes-siem-.s3.amazonaws.com/siem-on-amazon-opensearch-service.template

• In stack details enter the Stack name and enter the sns email id if required
• On configure, Stack options select the role to create a stack or leave it blank for AWS managed role creation
  
• Click on next and review and click on Create Stack
  
  

Step 4: Check Status of Stack

The stack will be created it will take 20 minutes time wait till you get the status as created successfully

After Stack is created Successfully click on Outputs and copy the URL, User ID, and password

Step 5: Search for OpenSearch Service in the search bar and click on it:

Click on Domains in the left panel and select the domain created as your stack

Then scroll down and select the configurations and scroll down to access policy and add your IP address and save the changes. If the IP address of your system IP or office IP address is not added Open search dashboard will not open

• To check the IP address of your system click on this URL https://checkip.amazonaws.com/
  

Step 6: Log in to OpenSearch Dashboard:

Open the URL of the OpenSearch dashboard on the new tab which you have collected from CloudFormation stacks output then input the ID and password

• Select the Global as Tenant and click on Confirm
  
• The OpenSearch dashboard will open for SIEM
  

5. Conclusion:

In the next blog, we will see how to put the logs of different services to AWS SIEM logs S3 bucket and visualize the required Dashboards and we will know what all Resources created by this CloudFormation Template.

About CloudThat

CloudThat is the official AWS Advanced Consulting Partner, Microsoft Gold Partner, and Google Cloud Partner, helping people develop knowledge on the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Feel free to drop a comment or any queries that you have regarding Amazon OpenSearch Service, SIEM Configuration, or any consulting requirements and we will get back to you quickly. To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat’s offerings.