Versions Compared

Version Old Version 24 New Version 25
Changes made by

Juan Tomás Alonso Nieto

Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Data Source

Description

API Endpoint

Collector service name

Devo Tabletable

Available from release

Service events

The different available services in AWS usually generate some information related to their internal behaviors, such as "a virtual machine has been started", "a new file has been created in an S3 bucket" or "an AWS lambda function has been invoked" and this kind of event can be triggered by no human interaction.

The service events are managed by the CloudWatch Events service (CWE), recently AWS has created a new service called Amazon EventBridge that tends to replace the CWE service.

The findings detected by AWS Security Hub are also managed by CloudWatch Events (CWE).

ReceiveMessage

ReceiveMessage - Amazon Simple Queue Service

Generic events:

service-events-all

Security Hub events:

sqs-cloudwatch-consumer

Generic events:

  • If auto_event_type parameter in config file is not set or set to false: cloud.aws.cloudwatch.events

  • If auto_event_type parameter in config file is set to true: cloud.aws.cloudwatch.{event_type}

Security Hub events:

  • cloud.aws.securityhub.findings

-

Audit events

This kind of event is more specific because they are triggered by a human interaction no matter the different ways used: API, web interaction, or even the CLI console.

The audit events are managed by the CloudTrail service.

There are two ways to read Audit events:

  • API: using CloudTrail API. This way is slower, but it can retrieve data back in time.

  • S3+SQS: forwarding CloudTrail data to an S3 bucket and reading from there through a SQS queue. This way is much faster, but it only can retrieve elements since the creation of the S3+SQS pipeline.

Via API:

LookupEvents

LookupEvents - AWS CloudTrail

Via S3+SQS:

ReceiveMessage

ReceiveMessage - Amazon Simple Queue Service

audit-events-all

  • If auto_event_type parameter in config file is not set or set to false: cloud.aws.cloudtrail.events

  • If auto_event_type parameter in config file is set to true: cloud.aws.cloudtrail.{event_type}

-

Metrics

According to the standard definition, this kind of information is usually generated at the same moment is requested because it is usually a query about the status of a service (all things inside AWS are considered services).

AWS makes something slightly different because what is doing is to generate metrics information every N time slots, such as 1 min, 5 min, 30 min, 1h, etc., even if no one makes a request (also is possible to have information every X seconds but this would require extra costs).

The metrics are managed by the CloudWatch Metrics service (CWM).

ListMetrics

ListMetrics - Amazon CloudWatch

After listing the metrics, GetMetricData and GetMetricStatistics are also called.

GetMetricData - Amazon CloudWatch

GetMetricStatistics - Amazon CloudWatch

 

metrics-all

cloud.aws.cloudwatch.metrics

-

Logs

Logs could be defined as information with a non-fixed structure that is sent to one of the available “logging” services, these services are CloudWatch Logs and S3.

There are some very customizable services, such as AWS Lambda, or even any developed application which is deployed inside an AWS virtual machine (EC2), that can generate custom log information, this kind of information is managed by the CloudWatch Logs service (CWL) and also by the S3 service.

There are also some other services that can generate logs with a fixed structure, such as VPC Flow Logs or CloudFront Logs. These kinds of services require one special way of collecting their data.

DescribeLogStreams

DescribeLogStreams - Amazon CloudWatch Logs

Logs can be:

  • Managed by Cloudwatch: This is a custom service that is activated using service custom_service and including the type logs into the types parameter in the config file.

  • Not managed by Cloudwatch: Use non-cloudwatch-logs service and include the required type (flowlogs for VPC Flow Logs and/or cloudfrontlogs for CloudFront Logs) into the types parameter in the config file.

 

  • Managed by Cloudwatch: cloud.aws.cloudwatch.logs

  • Not managed by Cloudwatch:

    • VPC Flow Logs:

      • If auto_event_type parameter in config file is set to true: cloud.aws.vpc.unknown

      • If auto_event_type parameter in config file is set to true: cloud.aws.vpc.{event_type}

    • CloudFront Logs:

      • If auto_event_type parameter in config file is set to true: cloud.aws.cloudfront.unknown

      • If auto_event_type parameter in config file is set to true: cloud.aws.cloudfront.{event_type}

-

...