All Products
Search

This Product

    Security Center:Add logs of cloud services

    Document Center

    Security Center:Add logs of cloud services

    Last Updated:Apr 26, 2024

    After you enable the threat analysis and response feature, you can add logs of cloud services to the feature to monitor and analyze alerts and logs across resources in a centralized manner. The cloud services can belong to the same Alibaba Cloud account as Security Center, a different Alibaba Cloud account from Security Center, or a third-party cloud account. After you add logs, the threat analysis and response feature monitors and analyzes the added logs, identifies and builds attack chains, and generates security events. This improves the analysis and handling efficiency of alerts.

    Prerequisites

    • The threat analysis and response feature is enabled. For more information, see Purchase and enable threat analysis and response.

    • Simple Log Service is activated for the cloud service whose logs you want to add to the threat analysis and response feature. For more information, see the documentation of the cloud service on the official website, or click View Document in the Select Account panel.

      image.png

    Add logs of cloud services within the same Alibaba Cloud account

    If the cloud service whose logs you want to add to the threat analysis and response feature belongs to the Alibaba Cloud account that is used to purchase the feature, you can directly find the cloud service and select log types on the Service Integration page to add logs.

    1. In the left-side navigation pane, choose Threat Analysis and Response > Service Integration.

    2. On the Service Integration page, find the required cloud service and click Access Settings in the Actions column.

    3. In the panel that appears, find the required log type and click Select in the Import Account column.

    4. In the Select Account panel, select the current logon account. Then, select a Logstore if required.

      Note

      If your Alibaba Cloud account is an account that has passed only individual real-name verification, only the account is displayed in the Select Account panel.

      • If a cloud service such as Security Center supports only a dedicated Logstore, you need to only select the current logon account. You do not need to select a Logstore. After you select the current logon account, the logs of the cloud service are automatically stored in the dedicated Logstore.

      • If a cloud service also supports custom Logstores, you must select the current logon account and the required Logstore from the drop-down list in the LogStore (Format: regionId.project.logStore) column. Alternatively, you can copy and paste the name of the custom Logstore that you want to use. The name of a Logstore is in the regionId.project.logStore format.

    Add logs of cloud services across Alibaba Cloud accounts

    If you want to centrally manage the logs of cloud services that belong to different Alibaba Cloud accounts in the Security Center console, you can use the multi-account management feature that is jointly launched by Resource Directory of Resource Management and Security Center. You can use the feature to establish a multi-account structure for the accounts and resources of your enterprise to implement centralized management.

    Important

    The Alibaba Cloud accounts that can be added to a resource directory must belong to the same enterprise and pass enterprise real-name verification. You can authorize the threat analysis and response feature to access a resource directory only once. If your Alibaba Cloud account passed only individual real-name verification, the threat analysis and response feature can collect logs only of the account, and you do not need to configure settings in Resource Directory.

    1. Establish a multi-account structure

    Enable a resource directory and specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as a delegated administrator account.

    1. Log on to the Resource Management console with the management account.

    2. The first time you use Resource Directory, click Resource Directory in the left-side navigation pane, and click Enable Resource Directory. Then, follow the on-screen instructions to enable a resource directory. For more information, see Enable a resource directory.

    3. Create a member or invite an Alibaba Cloud account to join the resource directory.

      • Create a member: In the left-side navigation pane, choose Resource Directory > Create Member Account to create a member. For more information, see Create a member.

      • Invite a member: Choose Resource Directory > Invite Member to invite an Alibaba Cloud account to join the resource directory. For more information, see Invite an Alibaba Cloud account to join a resource directory.

    4. Specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as a delegated administrator account.

      In the left-side navigation pane, choose Resource Directory > Trusted Services. In the Actions column of Security Center - Threat Analysis, click Manage to specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as a delegated administrator account. For more information, see Add a delegated administrator account.

      image.png

    2. Add the member to threat analysis and response for monitoring

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

    2. In the left-side navigation pane, choose System Configuration > Multi-account Management.

    3. The first time you use the multi-account management feature, click Enable Management in Security Center.

      After you enable the multi-account management feature, the system automatically creates a service-linked role named AliyunServiceRoleForSasRd for the member. Security Center can assume this role to access the resources of cloud services within the member, such as Virtual Private Cloud (VPC) and Cloud Firewall. After you add the cloud services to the threat analysis and response feature, you can use the feature to monitor the logs of the cloud services, deliver logs, and handle security events. The threat analysis and response feature provides centralized alert management and threat source tracing capabilities.

    4. On the Multi-account Management > Account Monitored by Threat Analysis tab, click Account Management.

    5. In the Add Account panel, select the member and click OK. The member must be an Alibaba Cloud account.

    6. Optional. In the account list, turn on Access Authorization for the added Alibaba Cloud account.

      After you turn on Access Authorization, the added Alibaba Cloud account is granted the read-only permissions on the Alert and Log Management pages, and the added Alibaba Cloud account can view resource data that is added to the threat analysis and response feature and within the account.

    3. Add logs of cloud services within the member

    You can add logs of cloud services across Alibaba Cloud accounts in the same manner as you add logs of a cloud service within the same Alibaba Cloud account. The only difference is the ID of the required account. For more information, see Add logs of cloud services within the same Alibaba Cloud account.

    Add logs of cloud services within a third-party cloud account

    If your business is deployed on Alibaba Cloud and a third-party cloud service and you want to manage alerts across cloud environments, you can add your third-party cloud account to the threat analysis and response feature to implement centralized alert monitoring and operations management. Supported providers of third-party cloud services are Huawei Cloud and Tencent Cloud.

    1. Configure a third-party cloud account

    Configure a Huawei Cloud sub-account

    1. Create two custom policies named siemBasePolicy and siemNormalPolicy. For more information, see Create a custom policy.

      Note

      When you create a custom policy on Huawei Cloud, you cannot select global-level and project-level cloud services at the same time. In this case, you must create two policies to comply with the principle of least privilege.

      • siemBasePolicy: the permissions on global-level cloud services. The following code shows the content of the policy:

        {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:roles:listRoles",
                "iam:roles:getRole",
                "iam:groups:listGroupsForUser",
                "iam:groups:listGroups",
                "iam:users:getUser",
                "iam:groups:getGroup"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "rms:resources:list",
                "rms:resources:summarize"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "obs:object:GetObject",
                "obs:bucket:GetBucketLocation",
                "obs:bucket:HeadBucket",
                "obs:object:GetObjectVersionAcl",
                "obs:bucket:ListAllMyBuckets",
                "obs:bucket:ListBucket",
                "obs:object:GetObjectVersion",
                "obs:object:GetObjectAcl"
            ]
        }
    ]
}

      • siemNormalPolicy: the permissions on project-level cloud services. The following code shows the content of the policy:

        {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cfw:ipGroup:list",
                "cfw:acl:list",
                "cfw:ipMember:put",
                "cfw:ipMember:create",
                "cfw:ipGroup:create",
                "cfw:instance:get",
                "cfw:ipGroup:put",
                "cfw:ipMember:list",
                "cfw:ipGroup:get",
                "cfw:ipMember:delete"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "waf:whiteBlackIpRule:list",
                "waf:whiteBlackIpRule:put",
                "waf:ipgroup:get",
                "waf:whiteBlackIpRule:get",
                "waf:ipgroup:list",
                "waf:whiteBlackIpRule:create",
                "waf:whiteBlackIpRule:delete"
            ]
        }
    ]
}

    2. Create user groups named siemUser and readonlyuser, and grant the required permissions to the user groups. The following table describes the required permissions. For more information, see Create a user group and assign permissions.

      User group

      Required permission

      siemUser

      Custom policies: siemBasePolicy and siemNormalPolicy.

      readonlyuser

      • LTS ReadOnlyAccess: the read-only permission on Log Tank Service (LTS).

      • OBS OperateAccess: the permissions to perform basic operations on Object Storage Service (OSS). The following operations are included: view the bucket list, obtain bucket metadata, list objects in a bucket, query bucket locations, upload objects, obtain objects, delete objects, and obtain the ACL configurations of an object.

      • OBS ReadOnlyAccess: the read-only permissions on OSS. The following operations are supported: view the bucket list, obtain bucket metadata, list objects in a bucket, and query the location of a bucket.

      • CFW ReadOnlyAccess: the read-only permissions on Cloud Firewall.

      • WAF ReadOnlyAccess: the read-only permissions on Web Application Firewall (WAF).

    3. Create an Identity and Access Management (IAM) user and associate the IAM user with the siemUser user group. For more information, see Create an IAM user.

    4. Create an AccessKey pair for the IAM user. For more information, see Manage AccessKey pairs for an IAM user.

    Configure a Tencent Cloud sub-account

    1. Create a custom policy named siemPolicy based on policy syntax.

      The following code shows the content of the policy.

      {
    "statement": [
        {
            "action": [
                "cfw:DescribeAclApiDispatch",
                "cfw:DescribeBorderACLList",
                "cfw:CreateAcRules"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        },
        {
            "action": [
                "waf:DescribeDomains",
                "waf:DescribeIpAccessControl",
                "waf:DeleteIpAccessControl",
                "waf:UpsertIpAccessControl",
                "waf:PostAttackDownloadTask"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        },
        {
            "action": [
                "ckafka:DescribeDatahubGroupOffsets",
                "ckafka:DescribeGroup",
                "ckafka:DescribeGroupInfo",
                "ckafka:DescribeGroupOffsets",
                "ckafka:CreateDatahubGroup",
                "ckafka:ModifyDatahubGroupOffsets",
                "ckafka:ListConsumerGroup"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        },
        {
            "action": [
                "cam:GetUser",
                "cam:CheckSubAccountName",
                "cam:CheckUserPolicyAttachment",
                "cam:GetAccountSummary",
                "cam:GetPolicy",
                "cam:GetPolicyVersion",
                "cam:ListAllGroupsPolicies",
                "cam:ListAttachedGroupPolicies",
                "cam:ListAttachedRolePolicies",
                "cam:ListAttachedUserAllPolicies",
                "cam:ListAttachedUserPolicies",
                "cam:ListGroupsPolicies",
                "cam:ListPolicies",
                "cam:ListUsers"
            ],
            "effect": "allow",
            "resource": [
                "*"
            ]
        }
    ],
    "version": "2.0"
}

    2. Create a sub-account. For more information, see Create a sub-account.

    3. Attach the siemPolicy policy to the created sub-account. For more information, see Authorization management.

    4. Create an AccessKey pair for the sub-account. For more information, see AccessKey pair.

    2. Add the third-party cloud account to threat analysis and response

    You must add the third-party cloud account to threat analysis and response by entering the AccessKey pair of the sub-account. This way, threat analysis and response can obtain the alert logs of third-party cloud assets.

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

    2. Grant permissions to the sub-account.

      Security Center obtains the read permissions on third-party cloud assets and synchronizes the information about third-party cloud assets by using the AccessKey pair of the sub-account.

      1. In the left-side navigation pane, choose System Configuration > Feature Settings.

      2. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission, and select the required third-party cloud service provider from the drop-down list. Tencent Cloud and Huawei Cloud are supported.

      3. In the Edit Multi-cloud Configuration panel, select Manual Configuration, select ${aegis.vendor.module._display_name_SIEM} in the Permission Description section, and then click Next.

      4. In the Submit AccessKey Pair step, enter the AccessKey pair of the sub-account and click Next.

      5. In the Policy Configuration step, configure the AK Service Status Check parameter and click OK.

    3. Add the sub-account to threat analysis.

      1. In the left-side navigation pane, choose Threat Analysis and Response > Service Integration.

      2. In the Multi-cloud Service Access section, move the pointer over the icon of the required third-party cloud service provider and click Add Account.

        image.png

      3. In the Add Account panel, click Add.

      4. In the Account Association Settings panel, enter the name and ID of the master account for the sub-account, select the AccessKey ID of the sub-account, and then click Associate Account and Associate Data Source.

      5. In the Data Source Settings panel, specify the cloud services whose logs you want to add.

        A cloud service corresponds to a data source, and an access method of the data source corresponds to a log type of the cloud service. You must select an access method for a data source based on your log type. The following table describes the mapping relationships between log types and access methods.

        Cloud service provider

        Log type

        Access method

        Huawei Cloud

        • Alert logs of Cloud Firewall

        • Alert logs of WAF

        obs

        Tencent Cloud

        Alert logs of Cloud Firewall

        ckafka

        Alert logs of WAF

        wafApi

    3. Add logs of cloud services within the third-party cloud account

    1. In the left-side navigation pane, choose Threat Analysis and Response > Service Integration.

    2. On the Service Integration page, find the third-party cloud service whose logs you want to add and click Access Settings in the Actions column.

    3. In the panel that appears, find the required log type and click the value in the Associated Accounts column.

    4. In the panel that appears, select the sub-account and click OK.

    5. Turn on or turn off the switch in the Automatically Associate New Accounts column based on your business requirements.

      Automatically Associate New AccountsIf you turn on the switch for a log type and a new third-party cloud account is added to Security Center, threat analysis and response automatically adds the logs of the log type of the cloud services within the new account.

    Reference

    • After you add logs of cloud services to threat analysis and response, you can configure detection rules to aggregate multiple related alerts into security events that contain complete attack chains. This reduces the number of alerts and improves the analysis and handling efficiency of alerts. For more information, see Use detection rules.

    • You can use the charts on the dashboard provided by threat analysis and response to centrally monitor and manage the security status of your enterprise across cloud platforms, accounts, and cloud services. You can also review the performance of security operations. For more information, see Dashboard.

    • You can use the log management feature of threat analysis and response to quickly query logs and view information about logs. This helps simplify log management in a multi-resource environment. For more information, see Log management.

    • You can call API operations to submit multiple cloud service adding tasks or log adding tasks at the same time, or view cloud accounts that are added to threat analysis. For more information, see Log Management.

    • Does the threat analysis and response feature support devices in a data center?