Reputation: 1
Creating SEIM Dashboard for AWS logs using ELK Stack
We are collecting AWS logs in ELK stack SEIM (Open Distro for Elasticsearch) and Can someone please advise what type of logs or security events requires continuous monitoring and immediate alert notification. we are using Kibana for visualization.
What are the important things we need to keep in the Main Dashboard (ex: how many users logged in, which account is mostly used)?
What type of event requires alerts (ex: wrong password attempt 10X, S3 Bucket write after office hours) ?
How to identify when an AWS account is hacked or Attacker stole Data?
Thanks
Upvotes: 0
Views: 105
Answers (1)
Reputation: 11
In open distro (in our days open search) this needs to be done on your own in the alerting section.
The easiest option to solve your question is to use the free version from original Elasticsearch that provides an detection engine within the Security app in Kibana.
This detection engine comes with a number of AWS specific rules that are checking for e.g. hacked accounts.
In version 8 you find this under Elastic Security -> Alerts -> (Manage) Rules -> Import Elastic Prebuilt rules
You can access this version of Elasticsearch via AWS Marketplace.
Upvotes: 0
Related Questions
- ELK stack configuration
- how to setup individual kibana dashboards?
- Kibana Link multiple dashboards
- Kibana as Elasticsearch monitoring solution
- ELK visualisation with log time
- How to access Elasticsearch remotely from Kibana Dashboard?
- Logs and ELK stack on separate servers, how to display the logs?
- ElasticSearch Kibana dashboard analysis for JMeter logs
- Create custom Kibana dashboard with custom query
- Logstash output to Elasticsearch on AWS EC2