SIEM & UEBA

Expand all | Collapse all

FortiSIEM - AWS Integration

  • 1.  FortiSIEM - AWS Integration

    Posted Jan 28, 2021 04:06 AM
    Hi All,

    I would like to clarify few things regarding FortSIEM integration with AWS Environment.


    • AWS CloudWatch – There is a section on the guide on AWS EC2 CloudWatch API but nothing related to CloudWatch events on other AWS services.
    • AWS Kinesis - There is a section on the guide on AWS Kinesis but it doesn't mention specifics such as
      • Whether is it using Kinesis Data Streams/Data Firehose
      • Does it collect these streams to a S3 bucket
      • What type of log sources supported via Kinesis
    • AWS Shield (WAF) / AWS Route53 logs / AWS GuardDuty – There aren't any sections on how these AWS services integrate with FortiSIEM. (Can it be done via Kinesis?)
    • I just saw an guide on VPC Flows
    Can anyone provide an insight? Thanks.

    ------------------------------
    Cheers,
    Isuru
    ------------------------------


  • 2.  RE: FortiSIEM - AWS Integration

    GROUP ADMIN
    Posted Feb 15, 2021 02:58 AM
    Hi Isuru,

    • AWS CloudWatch – There is a section on the guide on AWS EC2 CloudWatch API but nothing related to CloudWatch events on other AWS services.
      • It collects the EC2 Metrics. If there is something else you need, let us know.
    • AWS Kinesis - There is a section on the guide on AWS Kinesis but it doesn't mention specifics such as
      • AWS Kinesis can collect data from different devices/services, the data format is as same as source data so may require a parser to be created. As an example. AWS Shield could log to Kinesis but logs may not be parsed.

    Thanks

    Dan


    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------



  • 3.  RE: FortiSIEM - AWS Integration

    Posted Feb 21, 2021 09:00 AM
    Hi Dan,

    Thanks for the response, but my concerns are,

    • It collects the EC2 Metrics. If there is something else you need, let us know.
      • What about other metrics ?
      • Does FortiSIEM only support EC2 metrics?

    • AWS Kinesis can collect data from different devices/services, the data format is as same as source data so may require a parser to be created. As an example. AWS Shield could log to Kinesis but logs may not be parsed.
      • What if we store the kinesis streams to a S3 bucket ?
      • Will the provided integration be able to pull those streams ?


    ------------------------------
    Cheers,
    Isuru
    ------------------------------



  • 4.  RE: FortiSIEM - AWS Integration

    Posted Mar 23, 2021 08:06 AM
    Hi Isuru,

    It supports RDS, EFS and EC2 metrics using the EC2 credential method.
    Using Kinesis credential method it supports all services that can log to S3 using Kinesis. You'll need to create a credential per each Kinesis/S3 pair.
    Using Cloudtrail it supports all services that log to S3 using cloudtrail. You also need to create a credential per each CloudTrail/SNS/S3 group.

    You may run into the case of the parser being too generic for a specific service that you're logging, if that is the case then PM me and I'll enhance the parser for the service you need.

    Kind Regards,

    ------------------------------
    Dušan Tomić - Consulting Systems Engineer INTL
    Fortinet
    ------------------------------



  • 5.  RE: FortiSIEM - AWS Integration

    Posted Mar 25, 2021 08:38 PM
    Hi Dusan,

    Thanks for the insight and support.

    ------------------------------
    Cheers,
    Isuru
    ------------------------------