Inicio Explorar Axuda
Iniciar sesión
bat9go
/
Ycsecurity
réplica de https://github.com/yandex-cloud/yc-solution-library-for-security
Seguir 1
Destacar 0
Fork 0
Ficheiros Incidencias 0 Wiki
Rama: master
Ramas Etiquetas
Ycsecurity
/
auditlogs
/
export-auditlogs-to-Splunk
Mirtov Alexey 33d0bd4365 add english %!s(int64=2) %!d(string=hai) anos
..
docker d22e6fb779 clean-up and editing %!s(int64=3) %!d(string=hai) anos
functions dedef1c535 update splunk %!s(int64=3) %!d(string=hai) anos
images 75f1b03478 update splunk %!s(int64=3) %!d(string=hai) anos
terraform d22e6fb779 clean-up and editing %!s(int64=3) %!d(string=hai) anos
README.md 33d0bd4365 add english %!s(int64=2) %!d(string=hai) anos
README_RU.md 33d0bd4365 add english %!s(int64=2) %!d(string=hai) anos

README.md

Collecting, monitoring, and analyzing audit logs in an external SIEM Splunk

Dashboard

Dashboard

Solution description

The solution lets you collect, monitor, and analyze audit logs in Yandex.Cloud from the following sources:

Use cases and searches

The Yandex.Cloud security team has collected the most relevant use cases in the folder of the auditlogs repository.

Solution features implemented via Terraform

  • Deploy a COI Instance with a container based on the s3-splunk-importer cr.yandex/crpjfmfou6gflobbfvfv/s3-splunk-importer:1.0 image.
  • Provide continuous delivery of JSON files with audit logs from Yandex Object Storage to Splunk.

Solution diagram

Diagram

Deployment using Terraform

Description

Yandex Cloud prerequisites

  • :white_check_mark: Object Storage Bucket for Audit Trails.
  • :white_check_mark: Audit Trails is enabled in the UI.
  • :white_check_mark: VPC network.
  • :white_check_mark: COI Instance has access to the internet to download the container image, for example, from the source NAT to the subnet.
  • :white_check_mark: ServiceAccount with the storage.editor role for actions in Object Storage.
See the example of the prerequisite configuration in /example/main.tf

Splunk prerequisites

  • :white_check_mark: Configured HTTP Event Collector.
  • :white_check_mark: Token for sending events to HEC.

Terraform module /modules/yc-splunk-trail:

  • Creates static keys for the SA to work with JSON objects in a bucket and encrypt/decrypt secrets.
  • Creates a COI VM with a Docker Container specification using a script.
  • Creates an SSH key pair and saves the private part to the disk and the public part to the VM.
  • Creates a KMS key.
  • Assigns the kms.keys.encrypterDecrypter rights to the key for SA to encrypt secrets.
  • Encrypts secrets and passes them to Docker Container.

Example of calling a module:

module "yc-splunk-trail" {
    source = "../modules/yc-splunk-trail/" #path to module yc-elastic-trail
    
    folder_id = var.folder_id
    splunk_token = var.splunk_token // Run the command export TF_VAR_splunk_token=<SPLUNK TOKEN> (replace <SPLUNK TOKEN> with your value)
    splunk_server = "https://1.2.3.4" // format: https://<your hostname or address>
    bucket_name = yandex_storage_bucket.trail-bucket.bucket // Specify the name of the bucket with audit trails if the call is not from example
    bucket_folder = "folder" // Specified when creating Trails
    sa_id = yandex_iam_service_account.sa-bucket-editor.id // Specify an SA with bucket_editor rights if the call is not from example
    coi_subnet_id = yandex_vpc_subnet.splunk-subnet[0].id // Specify the subnet_id if the call is not from example
}