Document toolboxDocument toolbox

cloud.aws.cloudwatch

The cloud.aws.cloudwatch tag identifies log events generated by the Amazon CloudWatch service. For more information about CloudWatch and this kind of information it makes available to you, consult the vendor documentation.

Tag structure

The full tag must have 4 levels. The first 3 are fixed as cloud.aws.cloudwatch. The fourth level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Amazon CloudWatch

cloud.aws.cloudwatch.alarm

cloud.aws.cloudwatch.alarm

cloud.aws.cloudwatch.events

cloud.aws.cloudwatch.events

cloud.aws.cloudwatch.logs

cloud.aws.cloudwatch.logs

cloud.aws.cloudwatch.metrics

cloud.aws.cloudwatch.metrics

For more information, read more about Devo tags.

How is the data sent to Devo?

To collect and forward data from CloudWatch Events to Devo, you will create an AWS Lambda function designed to receive data from a CloudWatch rule and forward them securely to Devo. We provide the source code and files required to create the function. You only need to use these files to create the function, customize a few environment variables, and set up the CloudWatch rule that will start forwarding data.

This article takes you step-by-step through the configuration process.

Download the source code files

Download the cloudwatch-to-devo zip file. It contains two folders and three files at the root level.

Download your Devo domain certificate files

Log into the Devo web application, go to Administration → Credentials → X.509 Certificates and download the X.509 Certificate and Private Key to the /certs folder of the source code files.

Prepare the ZIP file for upload

Having added the certificate files, your source code is complete.

Tip

For troubleshooting the initial setup, you can enable the logging of additional events related to the Lambda function's activity. These will appear in the function's log file available in CloudWatch - Logs. To enable this logging, open the index.js file and uncomment the lines that start with console.log. Later, when you have confirmed that events are being correctly streamed to your Devo domain, you can edit the file and recomment the console.log lines.

Create a .zip file containing the certs and node_modules folders, index.js, and package.json. You can name it anything you like.

Create the Lambda function

This procedure guides you through creating the new Lambda function that will receive the CloudWatch events. 

Set up the CloudWatch rule

  1. Log into your AWS Console, go to CloudWatch → Rules. Click Create rule. This launches a wizard.

  2. In Step 1, under Event Source, select Event Pattern and Build event pattern to match all events. Under Targets, select Lambda function, then select the name and version of the function you just created. Click Configure details.

  3. In Step 2, under Rule definition, enter a Name for the new rule, for example, SendCloudWatchEventstoLambdaFunction. You may optionally enter a description but be sure to select the State checkbox to enable the rule. Click Create rule.

With both the rule and the Lambda function enabled, events should begin to flow to your Devo domain. Look out for the cloud.aws.cloudwatch.events table to appear in your Finder.

If the table doesn't appear in your domain's finder after 10 minutes, here are some things you can do to troubleshoot the problem:

  • Go to CloudWatch - Logs and open the Log Group for the Lambda function you created. If there are errors, they will appear here.

  • Make sure the Lambda function's environment variable definitions match the certificate file names in the .zip that you uploaded.

  • Select your Lambda function and click Test to make sure the function is working properly. We recommend that you copy the JSON of an existing event from the function's CloudWatch log to use in the test event.

  • Go to CloudWatch - Rules and make sure that your rule Status is active.

Table structure

These are the fields displayed in these tables:

cloud.aws.cloudwatch.alarm

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

ACCID

str

 

 

REGION

str

 

 

message

str

rawMessage

 

hostchain

str

 

tag

str

 

rawMessage

str

 

cloud.aws.cloudwatch.events

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

ACCID

str

 

 

 

REGION

str

 

 

 

message

str

 

rawSource

 

version

str

 

 

 

id

str

 

 

 

detail_type

str

 

 

 

source

str

 

 

 

account

str

 

 

 

time

timestamp

 

 

 

region

str

 

 

 

resources_str

str

stringify(json(resources))

resources

 

detail_eventVersion

str

 

 

 

detail_userIdentity_type

str

 

 

 

detail_userIdentity_principalId

str

 

 

 

detail_userIdentity_arn

str

 

 

 

detail_userIdentity_accountId

str

 

 

 

detail_userIdentity_accessKeyId

str

 

 

 

detail_userIdentity_sessionContext_attributes_mfaAuthenticated

str

 

 

 

detail_userIdentity_sessionContext_attributes_creationDate

timestamp

 

 

 

detail_userIdentity_sessionContext_sessionIssuer_type

str

 

 

 

detail_userIdentity_sessionContext_sessionIssuer_principalId

str

 

 

 

detail_userIdentity_sessionContext_sessionIssuer_arn

str

 

 

 

detail_userIdentity_sessionContext_sessionIssuer_accountId

str

 

 

 

detail_userIdentity_sessionContext_sessionIssuer_userName

str

 

 

 

detail_eventTime

timestamp

 

 

 

detail_eventSource

str

 

 

 

detail_eventName

str

 

 

 

detail_awsRegion

str

 

 

 

detail_sourceIPAddress

str

 

 

 

detail_userAgent

str

 

 

 

detail_requestParameters_encryptionContext_aws_lambda_FunctionArn

str

 

 

 

detail_responseElements

str

 

 

 

detail_requestID

str

 

 

 

detail_eventID

str

 

 

 

detail_readOnly

bool

 

 

 

resources_ARN_str

str

stringify(json(resources_ARN))

resources_ARN

 

resources_accountId_str

str

stringify(json(resources_accountId))

resources_accountId

 

resources_type_str

str

resources_type

 

detail_eventType

str

 

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

rawSource

cloud.aws.cloudwatch.logs

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

hostname

str

 

 

 

ACCID

str

 

 

 

REGION

str

 

 

 

VERSION

str

 

 

 

logGroup

str

 

 

 

logStreamName

str

 

 

 

ingestionTime

timestamp

 

 

 

timestamp

timestamp

 

 

 

eventId

str

 

 

 

log_message

str

 

 

 

log_version

str

 

 

 

id

str

 

 

 

detail_type

str

 

 

 

source

str

 

 

 

account

str

 

 

 

time

str

 

 

 

region

str

 

 

 

resources_str

str

resources

 

detail__findings__ProductArn_str

str

detail__findings__ProductArn

 

detail__findings__Types_str

str

detail__findings__Types

 

detail__findings__Description_str

str

detail__findings__Description

 

detail__findings__Compliance__Status_str

str

detail__findings__Compliance__Status

 

detail__findings__Compliance__StatusReasons_str

str

detail__findings__Compliance__StatusReasons

 

detail__findings__ProductName_str

str

detail__findings__ProductName

 

detail__findings__FirstObservedAt_str

str

detail__findings__FirstObservedAt

 

detail__findings__CreatedAt_str

str

detail__findings__CreatedAt

 

detail__findings__LastObservedAt_str

str

detail__findings__LastObservedAt

 

detail__findings__CompanyName_str

str

detail__findings__CompanyName

 

detail__findings__FindingProviderFields__Types_str

str

detail__findings__FindingProviderFields__Types

 

detail__findings__FindingProviderFields__Severity__Normalized_str

str

detail__findings__FindingProviderFields__Severity__Normalized

 

detail__findings__FindingProviderFields__Severity__Label_str

str

detail__findings__FindingProviderFields__Severity__Label

 

detail__findings__FindingProviderFields__Severity__Product_str

str

detail__findings__FindingProviderFields__Severity__Product

 

detail__findings__FindingProviderFields__Severity__Original_str

str

detail__findings__FindingProviderFields__Severity__Original

 

detail__findings__ProductFields__StandardsGuideArn_str

str

detail__findings__ProductFields__StandardsGuideArn

 

detail__findings__ProductFields__StandardsGuideSubscriptionArn_str

str

detail__findings__ProductFields__StandardsGuideSubscriptionArn

 

detail__findings__ProductFields__RuleId_str

str

detail__findings__ProductFields__RuleId

 

detail__findings__ProductFields__RecommendationUrl_str

str

detail__findings__ProductFields__RecommendationUrl

 

detail__findings__ProductFields__StandardsControlArn_str

str

detail__findings__ProductFields__StandardsControlArn

 

detail__findings__ProductFields__aws_securityhub_ProductName_str

str

detail__findings__ProductFields__aws_securityhub_ProductName

 

detail__findings__ProductFields__aws_securityhub_CompanyName_str

str

detail__findings__ProductFields__aws_securityhub_CompanyName

 

detail__findings__ProductFields__aws_securityhub_annotation_str

str

detail__findings__ProductFields__aws_securityhub_annotation

 

detail__findings__ProductFields__Resources_0_Id_str

str

detail__findings__ProductFields__Resources_0_Id

 

detail__findings__ProductFields__aws_securityhub_FindingId_str

str

detail__findings__ProductFields__aws_securityhub_FindingId

 

detail__findings__Remediation__Recommendation__Text_str

str

detail__findings__Remediation__Recommendation__Text

 

detail__findings__Remediation__Recommendation__Url_str

str

detail__findings__Remediation__Recommendation__Url

 

detail__findings__SchemaVersion_str

str

detail__findings__SchemaVersion

 

detail__findings__GeneratorId_str

str

detail__findings__GeneratorId

 

detail__findings__RecordState_str

str

detail__findings__RecordState

 

detail__findings__Title_str

str

detail__findings__Title

 

detail__findings__Workflow__Status_str

str

detail__findings__Workflow__Status

 

detail__findings__Severity__Normalized_str

str

detail__findings__Severity__Normalized

 

detail__findings__Severity__Label_str

str

detail__findings__Severity__Label

 

detail__findings__Severity__Product_str

str

detail__findings__Severity__Product

 

detail__findings__Severity__Original_str

str

detail__findings__Severity__Original

 

detail__findings__UpdatedAt_str

str

detail__findings__UpdatedAt

 

detail__findings__WorkflowState_str

str

detail__findings__WorkflowState

 

detail__findings__AwsAccountId_str

str

detail__findings__AwsAccountId

 

detail__findings__Region_str

str

detail__findings__Region

 

detail__findings__Id_str

str

detail__findings__Id

 

detail__findings__Resources_str

str

detail__findings__Resources

 

message

str

 

rawMessage

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

cloud.aws.cloudwatch.metrics

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

ACCID

str

account_id

 

REGION

str

 

 

message

str

rawMessage

 

hostname

str

 

 

account_id

str

 

 

region

str

REGION

 

timestamp

timestamp

 

 

value

float8

 

 

stat

str

 

 

metricName

str

 

 

nameSpace

str

 

 

dimensions

str

 

 

hostchain

str

 

tag

str

 

rawMessage

str