Ingest Logs from AWS CloudTrail and Amazon CloudWatch
Take advantage of Cortex XDR investigation capabilities and set up log ingestion of your AWS CloudTrail and Amazon CloudWatch logs.
Ingesting logs and data requires a Cortex XDR Pro per TB license.
If you use AWS CloudTrail or Amazon CloudWatch, you can forward logs for the relative service to Cortex XDR. To enable log forwarding you set up Amazon Kinesis Firehose and then add that to your AWS CloudTrail or Amazon CloudWatch configuration. After you complete the set up process, logs from the respective service are then searchable in Cortex XDR to provide additional information and context to your investigations.
To set up AWS integration you need the following permissions in AWS you need a role that enables access to configuring Amazon Kinesis Firehose.
- Set up the AWS integration in Cortex XDR.
- Select.SettingsSaaS Integrations
- In the AWS configuration, click theherelink to begin a new configuration.
- Enter a descriptiveNamefor your log collection configuration.
- Enter theVendorandProductfor the type of logs you are ingesting.The vendor and product are used to define the name of your XQL dataset (). If you do not define a vendor or product, Cortex XDR uses the default values of Amazon and AWS with the resulting dataset name as<vendor>_<product>_rawamazon_aws_raw. To uniquely identify the log source, consider changing the values.
- Choose the format of the data input source (CloudTrail or CloudWatch) that you will export to Cortex XDR, eitherJSONorText.
- Save & Generate Token.Click the copy icon next to the key and record it somewhere safe. You will need to provide this key when you set up output settings in AWS Kinesis Firehose. If you forget to record the key and close the window you will need to generate a new key and repeat this process.
- SelectDoneto close the window.
- Create a Kinesis Data Firehose delivery stream to your chosen destination.
- Log in to the AWS Management Console, and open the Kinesis console at https://console.aws.amazon.com/kinesis.
- Select.Data FirehoseCreate delivery stream
- Define the name and source for your stream.
ClickNextto proceed to the process record configuration.
- Delivery stream name—Enter a descriptive name for your stream configuration.
- Source—SelectDirect PUT or other sources.
- Server-side encryption for source records in the delivery stream—Ensure this option is disabled.
- Define the process records.
ClickNextto proceed to the destination configuration.
- Transform source records with AWS Lambda—Set the Data Transformation asDisabled.
- Convert record format—Set Record format conversion asDisabled.
- Choose a destination for the logs.ChooseHTTP Endpointas the destination and configure the HTTP endpoint configuration settings:
ClickNextto proceed to the settings configuration.
- HTTP endpoint name—Enter the name you used to identify your AWS log collection configuration in Cortex XDR.
- HTTP endpoint URL—Copy the API URL associated with your log collection from the Cortex XDR management console (. The URL will include your tenant name (SettingsSaaS IntegrationsCopy API URLhttps://api-.<tenant external URL>/logs/v1/aws)
- Access key—Paste in the token key you recorded earlier during the configuration of your Cortex XDR log collection settings.
- Content encoding—SelectGZIP. Disabling content encoding may result in high egress costs.
- Retry duration—Enter300seconds.
- S3 bucket—Set theS3 backup modeasFailed data only. For the S3 bucket, we recommend that you create a dedicated bucket for Cortex XDR integration.
- Configure additional settings.
- HTTP endpoint buffer conditions—Set theBuffer sizeas1MiB and theBuffer intervalas60seconds.
- S3 buffer conditions—Use the default settings forBuffer sizeas5MiB andBuffer intervalas300seconds unless you have alternative sizing preferences.
- S3 compression and encryption—Choose your desired compression and encryption settings.
- Error logging—SelectEnabled.
- Permissions—Create or update IAM role. option
- Review your configuration andCreate delivery stream.When your delivery stream is ready, the status changes from Creating to Active.
- To begin forwarding logs, add the Kinesis Firehose instance to your AWS CloudTrail or Amazon CloudWatch configuration.
- Verify the status of the integration.Return to theSaaS Integrationspage and view the statistics for the log collection configuration.
- After Cortex XDR begins receiving logs from your Amazon services, you can use the XQL Search to search for logs in the new dataset.
Recommended For You
Recommended videos not found.