Startsida Utforska Hjälp
Logga in
bat9go
/
Ycsecurity
spegling av https://github.com/yandex-cloud/yc-solution-library-for-security
Bevaka 1
Stjärnmärk 0
Fork 0
Filer Ärenden 0 Wiki
Träd: 2e47bd3903
Grenar Taggar
Ycsecurity
/
auditlogs
/
trail_monitoring
Mirtov Alexey 33d0bd4365 add english 2 år sedan
..
README.md 33d0bd4365 add english 2 år sedan
README_RU.md 33d0bd4365 add english 2 år sedan

README.md

Monitoring Audit Trails and events in Yandex Cloud Monitoring

image

image

Description

The solution includes recommendations how to monitor Audit Trails performance and its security events using Yandex Monitoring.

  • Audit Trails monitoring:

    • The status of the Trail object (Active or not Active).
    • Count of processed events (the presence of bursts).

  • Monitoring of security events:

    • The list is presented below.

Audit Trails monitoring

  • Go to Audit Trails → Monitoring → Open in Monitoring.
  • Select the desired dashboard: Trails by status or Delivered events.
  • Click the ellipsis, select "Create alert".
  • Set up an alert according to the documentation for a certain threshold. For example, on the "Trails by status" dashboard, enter the condition: status is not equal to 1 in 5 minutes (once a second, Trail sends Metric 1 if alive).

image

Monitoring events from Audit Trails

  • Go to Audit Trails → Monitoring → Open in Monitoring → Metric Explorer.
  • Generate a request to the desired metric from the list below, for example: "trail.processed_events_count"{folderId="b1gh4nansv4ebqqmeu7b", service="audit-trails", event_type="yandex.cloud.audit.compute.CreateInstance"}"
  • Click the ellipsis → Create alert.
  • Set up an alert according to the documentation for your threshold, for example: greater than 0.

image

List of metrics related to Information Security

  • UpdateSecurityGroup: Updating a security group.
  • UpdateSecretAccessBindings: Assigning rights for a Lockbox secret.
  • AddInstanceOneToOneNat: Adding a public IP address for a VM instance.
  • RemoveInstanceOneToOneNat: Removing a public IP address from a VM instance.
  • DeleteInstance: Deleting a VM instance.
  • instancegroup.DeleteInstanceGroup: Deleting an instance group.
  • CreateAccessKey: Creating an access key.
  • CreateApiKey: Creating an API key.
  • DeleteFederation: Deleting a federation.
  • UpdateServiceAccountAccessBindings: Updating access bindings.
  • DeleteSymmetricKey: Deleting a symmetric key.
  • ScheduleSymmetricKeyVersionDestruction: Scheduling destruction of the symmetric key version.
  • DeleteCloud: Deleting a cloud.
  • DeleteFolder: Deleting a catalog.
  • BucketAclUpdate: Updating an ACL bucket.
  • BucketDelete: Deleting a bucket.
  • BucketPolicyUpdate: Editing bucket access policies.
  • CreateNetwork: Creating a cloud network.
  • DeleteNetwork: Deleting a cloud network.