Create a trail to upload the audit logs of resources in a single folder to a Yandex Object Storage bucket with encryption enabled. Then configure continuous log delivery to ArcSight SIEM.
To complete the tutorial successfully, you must have an instance of ArcSight installed.
The solution described in the tutorial follows the procedure below:
- A trail uploads logs to a Object Storage bucket.
- A bucket is mounted via a FUSE interface to a folder on the intermediate VM.
- SmartConnector connects logs from the folder and passes them to ArcSight for analysis.
For more information about the scripts for uploading audit logs to ArcSight, see Yandex Cloud Security Solution Library.
Note
Yandex Cloud Security Solution Library is a public repo on GitHub with a set of examples and recommendations on how to build a secure infrastructure in Yandex Cloud.
To configure delivery of audit log files to ArcSight:
Prepare the environment
Prepare an intermediate VM
You can use a VM that has access to an ArcSight instance or create a new one:
- Create a VM from a Linux image based on Ubuntu 20.04.
- Connect to the VM via SSH.
Create a bucket for audit logs
- In the management console, select the folder where you wish to create a bucket, for example,
example-folder.
- Select Object Storage.
- Click Create bucket.
- On the bucket creation page:
-
Enter the bucket name following the naming guidelines, such as
arcsight-bucket.
-
If necessary, limit the maximum bucket size.
If
0, the maximum size isn't limited. It's similar to the enabled No limit option.
-
Select the
Limitedaccess type.
-
Select the default storage class.
-
Click Create bucket.
-
Create an encryption key in Key Management Service
- In the management console, go to
example-folder.
- Select Key Management Service.
- Click Create and specify:
- Name:
arcsight-kms.
- Encryption algorithm:
AES-256.
- Leave the other parameters at their default settings.
- Name:
- Click Create.
Enable bucket encryption
- In the management console, go to
arcsight-bucket.
- On the left-hand panel, select Encryption.
- In the KMS key field, select the
arcsight-kmskey.
- Click Save.
Create service accounts
You need to create two accounts: one for a trail and one for a bucket.
Create the
sa-arcsight service account:
- In the management console, go to the
example-folderfolder.
- Go to the Service accounts tab.
- Click Create service account.
- Enter the service account name following the naming guidelines, such as
sa-arcsight.
- Click Create.
Create the
sa-arcsight-bucket service account the same way.
Create a static key
You will need the key ID and secret key when mounting the bucket.
-
In the management console, go to
example-folder.
-
Go to the Service accounts tab.
-
Choose
sa-arcsight-bucketand click the line with its name.
-
Click Create new key on the top panel.
-
Select Create static access key.
-
Enter a description for the key and click Create.
-
Save the ID and private key.
Alert
After the dialog is closed, the private key value will be unavailable.
-
Create an access key for
sa-arcsight-bucket:
yc iam access-key create --service-account-name sa-arcsight-bucket
Result:
access_key: id: aje*******k2u service_account_id: aje*******usm created_at: "2022-09-22T14:37:51Z" key_id: 0n8*******0YQ secret: JyT*******zMP1
-
Save the ID
key_idand
secretkey. You will not be able to get the key value again.
Assign roles to the service accounts
Assign
sa-arcsight the
audit-trails.viewer,
storage.uploader, and
kms.keys.encrypterDecrypter roles:
-
The
audit-trails.viewerrole to the folder:
yc resource-manager folder add-access-binding \ --role audit-trails.viewer \ --id <example-folder_ID> \ --service-account-id <sa-arcsight_service_account_ID>
Where:
role: The role assigned.
id: The ID of
example-folder.
service-account-id: The ID of
sa-arcsight.
For more information about the
yc resource-manager folder add-access-bindingcommand, see the CLI reference.
-
-
The
storage.uploaderrole to the folder with a bucket:
yc resource-manager folder add-access-binding \ --role storage.uploader \ --id <example-folder_ID> \ --service-account-id <sa-arcsight_service_account_ID>
Where:
role: The role assigned.
id: The ID of
example-folder.
service-account-id: The ID of
sa-arcsight.
-
-
The
kms.keys.encrypterDecrypterrole to the
arcsight-kmsencryption key:
yc kms symmetric-key add-access-binding \ --role kms.keys.encrypterDecrypter \ --id <arcsight-kms_key_ID> \ --service-account-id <sa-arcsight_service_account_ID>
Where:
role: The role assigned.
id: The ID of the
arcsight-kmsKMS key.
service-account-id: The ID of
sa-arcsight.
-
Assign
sa-arcsight-bucket the
storage.viewer and
kms.keys.encrypterDecrypter roles:
-
The
storage.viewerrole to the folder:
yc resource-manager folder add-access-binding \ --id <example-folder_ID> \ --role storage.viewer \ --service-account-id <sa-arcsight-bucket_service_account_ID>
Where:
role: The role assigned.
id: The ID of
example-folder.
service-account-id: The ID of
sa-arcsight-bucket.
-
-
The
kms.keys.encrypterDecrypterrole to the
arcsight-kmsencryption key:
yc kms symmetric-key add-access-binding \ --role kms.keys.encrypterDecrypter \ --id <arcsight-kms_key_ID> \ --service-account-id <sa-arcsight-bucket_service_account_ID>
Where:
role: The role assigned.
id: The ID of the
arcsight-kmsKMS key.
service-account-id: The ID of
sa-arcsight-bucket.
-
Create a trail
-
In the management console, go to
example-folder.
-
Select Audit Trails.
-
Click Create trail and specify:
- Name: The name of the trail to create. For example:
arcsight-trail.
- Description: A description of the trail (optional).
- Name: The name of the trail to create. For example:
-
Under Filter, set up the audit log scope:
- Resource: Select
Folder.
- Folder: An automatically populated field containing the name of the current folder.
- Resource: Select
-
Under Destination, set up the destination object:
- Destination:
Object Storage.
- Bucket:
arcsight-bucket.
- Object prefix: An optional parameter used in the full name of the audit log file.
Note
Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.
- Destination:
-
Under Service account, select
sa-arcsight.
-
Click Create.
Warning
The solution will delete the logs from the bucket after they are exported to ArcSight. If you need to keep the logs in the bucket, create a separate bucket and trail.
Mount a bucket
A bucket is mounted on an intermediate VM where ArcSight SmartConnector is installed.
To mount the bucket, create a file with the
sa-arcsight-bucket service account static access key.
-
On the intermediate VM, create a file with the static access key:
echo <access_key_ID>:<secret_access_key> > ${HOME}/.passwd-s3fs chmod 600 ${HOME}/.passwd-s3fs
-
Install s3fs:
sudo apt install s3fs
-
Create a directory where the bucket will be mounted. For example:
mybucketin the home directory:
sudo mkdir ${HOME}/mybucket
-
Mount the bucket:
s3fs arcsight-bucket ${HOME}/mybucket -o passwd_file=${HOME}/.passwd-s3fs -o url=https://storage.yandexcloud.net -o use_path_request_style
-
Check that the bucket was mounted:
ls ${HOME}/mybucket
Install and configure ArcSight SmartConnector
Note
To complete this stage of the tutorial, you need an ArcSight SmartConnector distribution and access to an ArcSight instance.
-
On the intermediate VM, install
ArcSight SmartConnector:
- When installing it, select ArcSight FlexConnector JSON Folder Follower and specify the path to the
mybucketfolder.
- Specify JSON configuration filename prefix:
yc.
- When installing it, select ArcSight FlexConnector JSON Folder Follower and specify the path to the
-
Download the
arcsight_contentfiles.
-
Copy the
yc.jsonparser.propertiesfile from the
flexfolder to the
<agent_installation_folder>/current/user/agent/flexagentfolder.
-
Copy the
map.0.propertiesfile from the
flexfolder to the
<agent_installation_folder>/current/user/agent/mapfolder.
-
Edit the file
<agent_installation_folder>/current/user/agent/agent.properties:
agents[0].mode=DeleteFile agents[0].proccessfoldersrecursively=true
-
Start the connector and make sure that events are received by ArcSight: