AWS Configuration Guide for Cloud SIEM

Overview

Cloud SIEM applies detection rules to all processed logs in Datadog to detect threats, like a targeted attack, a threat intel listed IP communicating with your systems, or an insecure configuration. The threats are surfaced as Security Signals in the Security Signals Explorer for triaging.

This guide walks you through the following steps so that you can start detecting threats with your AWS CloudTrail logs:

  1. Set up Datadog’s AWS integration
  2. Enable AWS CloudTrail logs
  3. Send AWS CloudTrail logs to Datadog
  4. Use Cloud SIEM to triage Security Signals

Set up AWS integration using CloudFormation

  1. Go to Datadog’s AWS integration tile to install the integration.

  2. Click Automatically Using CloudFormation. If there is already an AWS account set up, click Add Another Account first.

  3. Select the AWS Region where the CloudFormation stack will be launched.

  4. Select or create the Datadog API Key used to send data from your AWS account to Datadog.

  5. Select Yes for Send Logs to Datadog to set up the Datadog Lambda Forwarder to be used later for sending AWS CloudTrail logs to Datadog.

  6. Click Launch CloudFormation Template. This opens the AWS Console and loads the CloudFormation stack with the parameters filled in based on your selections in the Datadog form.

    Note: The DatadogAppKey parameter enables the CloudFormation stack to make API calls to Datadog, allowing it to add and edit the configuration for this AWS account. The key is automatically generated and tied to your Datadog account.

  7. Check the required boxes from AWS and click Create stack.

  8. After the CloudFormation stack is created, return to the AWS integration tile in Datadog and click Ready!

Notes:

Enable AWS CloudTrail logging

Enable AWS CloudTrail logging so that logs are sent to a S3 bucket. If you already have this setup, skip to Send AWS CloudTrail logs to Datadog.

  1. Click Create trail on the CloudTrail dashboard.
  2. Enter a name for your trail.
  3. Create a new S3 bucket or use an existing S3 bucket to store the CloudTrail logs.
  4. Create a new AWS KMS key or use an existing AWS KMS key, then click Next.
  5. Leave the event type with the default management read and write events, or choose additional event types you want to send to Datadog, then click Next.
  6. Review and click Create trail.

Send AWS CloudTrail logs to Datadog

Set up a trigger on your Datadog Forwarder Lambda function to send CloudTrail logs stored in the S3 bucket to Datadog for monitoring.

  1. Go to the Datadog Forwarder Lambda that was created during the AWS integration set up.
  2. Click Add trigger.
  3. Select S3 for the trigger.
  4. Select the S3 bucket you are using to collect AWS CloudTrail logs.
  5. For Event type, select All object create events.
  6. Click Add.
  7. See CloudTrail logs in Datadog’s Log Explorer.

See Log Explorer for more information on how to search and filter, group, and visualize your logs.

Use Cloud SIEM to triage Security Signals

Cloud SIEM applies out of the box detection rules to all processed logs, including the CloudTrail logs you have just set up. When a threat is detected with a Detection Rule, a Security Signal is generated and can be viewed in the Security Signals Explorer.

Since Cloud SIEM applies detection rules to all processed logs, see the in-app instructions on how to collect Kubernetes audit logs and logs from other sources for threat detection. You can also enable different AWS services to log to a S3 bucket and send them to Datadog for threat monitoring.

Further reading

PREVIEWING: rtrieu/product-analytics-ui-changes