cloud.aws.cloudwatch
The cloud.aws.cloudwatch
tag identifies log events generated by the Amazon CloudWatch service. For more information about CloudWatch and this kind of information it makes available to you, consult the vendor documentation.
Tag structure
The full tag must have 4 levels. The first 3 are fixed as cloud.aws.cloudwatch
. The fourth level identifies the type of events sent.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Amazon CloudWatch |
|
|
|
| |
|
| |
|
|
For more information, read more about Devo tags.
How is the data sent to Devo?
To collect and forward data from CloudWatch Events to Devo, you will create an AWS Lambda function designed to receive data from a CloudWatch rule and forward them securely to Devo. We provide the source code and files required to create the function. You only need to use these files to create the function, customize a few environment variables, and set up the CloudWatch rule that will start forwarding data.
This article takes you step-by-step through the configuration process.
Download the source code files
Download the cloudwatch-to-devo zip file. It contains two folders and three files at the root level.
Download your Devo domain certificate files
Log into the Devo web application, go to Administration → Credentials → X.509 Certificates and download the X.509 Certificate and Private Key to the /certs folder of the source code files.
Prepare the ZIP file for upload
Having added the certificate files, your source code is complete.
Tip
For troubleshooting the initial setup, you can enable the logging of additional events related to the Lambda function's activity. These will appear in the function's log file available in CloudWatch - Logs. To enable this logging, open the index.js file and uncomment the lines that start with console.log. Later, when you have confirmed that events are being correctly streamed to your Devo domain, you can edit the file and recomment the console.log lines.
Create a .zip file containing the certs and node_modules folders, index.js, and package.json. You can name it anything you like.
Create the Lambda function
This procedure guides you through creating the new Lambda function that will receive the CloudWatch events.
Set up the CloudWatch rule
Log into your AWS Console, go to CloudWatch → Rules. Click Create rule. This launches a wizard.
In Step 1, under Event Source, select Event Pattern and Build event pattern to match all events. Under Targets, select Lambda function, then select the name and version of the function you just created. Click Configure details.
In Step 2, under Rule definition, enter a Name for the new rule, for example, SendCloudWatchEventstoLambdaFunction. You may optionally enter a description but be sure to select the State checkbox to enable the rule. Click Create rule.
With both the rule and the Lambda function enabled, events should begin to flow to your Devo domain. Look out for the cloud.aws.cloudwatch.events table to appear in your Finder.
If the table doesn't appear in your domain's finder after 10 minutes, here are some things you can do to troubleshoot the problem:
Go to CloudWatch - Logs and open the Log Group for the Lambda function you created. If there are errors, they will appear here.
Make sure the Lambda function's environment variable definitions match the certificate file names in the .zip that you uploaded.
Select your Lambda function and click Test to make sure the function is working properly. We recommend that you copy the JSON of an existing event from the function's CloudWatch log to use in the test event.
Go to CloudWatch - Rules and make sure that your rule Status is active.
Table structure
These are the fields displayed in these tables:
cloud.aws.cloudwatch.alarm
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
|
|
ACCID |
|
|
|
REGION |
|
|
|
message |
| rawMessage |
|
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |
cloud.aws.cloudwatch.events
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
|
|
|
ACCID |
|
|
|
|
REGION |
|
|
|
|
message |
|
| rawSource |
|
version |
|
|
|
|
id |
|
|
|
|
detail_type |
|
|
|
|
source |
|
|
|
|
account |
|
|
|
|
time |
|
|
|
|
region |
|
|
|
|
resources_str |
| stringify(json(resources)) | resources |
|
detail_eventVersion |
|
|
|
|
detail_userIdentity_type |
|
|
|
|
detail_userIdentity_principalId |
|
|
|
|
detail_userIdentity_arn |
|
|
|
|
detail_userIdentity_accountId |
|
|
|
|
detail_userIdentity_accessKeyId |
|
|
|
|
detail_userIdentity_sessionContext_attributes_mfaAuthenticated |
|
|
|
|
detail_userIdentity_sessionContext_attributes_creationDate |
|
|
|
|
detail_userIdentity_sessionContext_sessionIssuer_type |
|
|
|
|
detail_userIdentity_sessionContext_sessionIssuer_principalId |
|
|
|
|
detail_userIdentity_sessionContext_sessionIssuer_arn |
|
|
|
|
detail_userIdentity_sessionContext_sessionIssuer_accountId |
|
|
|
|
detail_userIdentity_sessionContext_sessionIssuer_userName |
|
|
|
|
detail_eventTime |
|
|
|
|
detail_eventSource |
|
|
|
|
detail_eventName |
|
|
|
|
detail_awsRegion |
|
|
|
|
detail_sourceIPAddress |
|
|
|
|
detail_userAgent |
|
|
|
|
detail_requestParameters_encryptionContext_aws_lambda_FunctionArn |
|
|
|
|
detail_responseElements |
|
|
|
|
detail_requestID |
|
|
|
|
detail_eventID |
|
|
|
|
detail_readOnly |
|
|
|
|
resources_ARN_str |
| stringify(json(resources_ARN)) | resources_ARN |
|
resources_accountId_str |
| stringify(json(resources_accountId)) | resources_accountId |
|
resources_type_str |
| resources_type |
| |
detail_eventType |
|
|
|
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
| rawSource | ✓ |
cloud.aws.cloudwatch.logs
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
|
|
|
|
hostname |
|
|
|
|
ACCID |
|
|
|
|
REGION |
|
|
|
|
VERSION |
|
|
|
|
logGroup |
|
|
|
|
logStreamName |
|
|
|
|
ingestionTime |
|
|
|
|
timestamp |
|
|
|
|
eventId |
|
|
|
|
log_message |
|
|
|
|
log_version |
|
|
|
|
id |
|
|
|
|
detail_type |
|
|
|
|
source |
|
|
|
|
account |
|
|
|
|
time |
|
|
|
|
region |
|
|
|
|
resources_str |
| resources |
| |
detail__findings__ProductArn_str |
| detail__findings__ProductArn |
| |
detail__findings__Types_str |
| detail__findings__Types |
| |
detail__findings__Description_str |
| detail__findings__Description |
| |
detail__findings__Compliance__Status_str |
| detail__findings__Compliance__Status |
| |
detail__findings__Compliance__StatusReasons_str |
| detail__findings__Compliance__StatusReasons |
| |
detail__findings__ProductName_str |
| detail__findings__ProductName |
| |
detail__findings__FirstObservedAt_str |
| detail__findings__FirstObservedAt |
| |
detail__findings__CreatedAt_str |
| detail__findings__CreatedAt |
| |
detail__findings__LastObservedAt_str |
| detail__findings__LastObservedAt |
| |
detail__findings__CompanyName_str |
| detail__findings__CompanyName |
| |
detail__findings__FindingProviderFields__Types_str |
| detail__findings__FindingProviderFields__Types |
| |
detail__findings__FindingProviderFields__Severity__Normalized_str |
| detail__findings__FindingProviderFields__Severity__Normalized |
| |
detail__findings__FindingProviderFields__Severity__Label_str |
| detail__findings__FindingProviderFields__Severity__Label |
| |
detail__findings__FindingProviderFields__Severity__Product_str |
| detail__findings__FindingProviderFields__Severity__Product |
| |
detail__findings__FindingProviderFields__Severity__Original_str |
| detail__findings__FindingProviderFields__Severity__Original |
| |
detail__findings__ProductFields__StandardsGuideArn_str |
| detail__findings__ProductFields__StandardsGuideArn |
| |
detail__findings__ProductFields__StandardsGuideSubscriptionArn_str |
| detail__findings__ProductFields__StandardsGuideSubscriptionArn |
| |
detail__findings__ProductFields__RuleId_str |
| detail__findings__ProductFields__RuleId |
| |
detail__findings__ProductFields__RecommendationUrl_str |
| detail__findings__ProductFields__RecommendationUrl |
| |
detail__findings__ProductFields__StandardsControlArn_str |
| detail__findings__ProductFields__StandardsControlArn |
| |
detail__findings__ProductFields__aws_securityhub_ProductName_str |
| detail__findings__ProductFields__aws_securityhub_ProductName |
| |
detail__findings__ProductFields__aws_securityhub_CompanyName_str |
| detail__findings__ProductFields__aws_securityhub_CompanyName |
| |
detail__findings__ProductFields__aws_securityhub_annotation_str |
| detail__findings__ProductFields__aws_securityhub_annotation |
| |
detail__findings__ProductFields__Resources_0_Id_str |
| detail__findings__ProductFields__Resources_0_Id |
| |
detail__findings__ProductFields__aws_securityhub_FindingId_str |
| detail__findings__ProductFields__aws_securityhub_FindingId |
| |
detail__findings__Remediation__Recommendation__Text_str |
| detail__findings__Remediation__Recommendation__Text |
| |
detail__findings__Remediation__Recommendation__Url_str |
| detail__findings__Remediation__Recommendation__Url |
| |
detail__findings__SchemaVersion_str |
| detail__findings__SchemaVersion |
| |
detail__findings__GeneratorId_str |
| detail__findings__GeneratorId |
| |
detail__findings__RecordState_str |
| detail__findings__RecordState |
| |
detail__findings__Title_str |
| detail__findings__Title |
| |
detail__findings__Workflow__Status_str |
| detail__findings__Workflow__Status |
| |
detail__findings__Severity__Normalized_str |
| detail__findings__Severity__Normalized |
| |
detail__findings__Severity__Label_str |
| detail__findings__Severity__Label |
| |
detail__findings__Severity__Product_str |
| detail__findings__Severity__Product |
| |
detail__findings__Severity__Original_str |
| detail__findings__Severity__Original |
| |
detail__findings__UpdatedAt_str |
| detail__findings__UpdatedAt |
| |
detail__findings__WorkflowState_str |
| detail__findings__WorkflowState |
| |
detail__findings__AwsAccountId_str |
| detail__findings__AwsAccountId |
| |
detail__findings__Region_str |
| detail__findings__Region |
| |
detail__findings__Id_str |
| detail__findings__Id |
| |
detail__findings__Resources_str |
| detail__findings__Resources |
| |
message |
|
| rawMessage |
|
hostchain |
|
|
| ✓ |
tag |
|
|
| ✓ |
rawMessage |
|
|
| ✓ |
cloud.aws.cloudwatch.metrics
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
|
|
|
ACCID |
| account_id |
|
REGION |
|
|
|
message |
| rawMessage |
|
hostname |
|
|
|
account_id |
|
|
|
region |
| REGION |
|
timestamp |
|
|
|
value |
|
|
|
stat |
|
|
|
metricName |
|
|
|
nameSpace |
|
|
|
dimensions |
|
|
|
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |