Configure a ThreatSync+ NDR Cloud Integration — AWS VPC Flow Logs

Applies To: ThreatSync+ NDR

This feature is only available with a ThreatSync+ NDR or Total NDR license. For more information, go to About ThreatSync+ NDR Licenses and About Total NDR Licenses.

To monitor and detect threats in your AWS workloads, ThreatSync+ NDR requires access to your AWS flow log data. To collect this data and monitor the AWS log traffic, you must add and configure a cloud integration in WatchGuard Cloud.

Configuration of an AWS VPC flow logs integration is a two-step process. You must first complete configuration in the AWS Management Console, and then create the AWS VPC flow logs integration in the ThreatSync+ Integrations UI.

Before You Begin

To configure AWS in the AWS Management Console, make sure:

  • You have an AWS user account with administrator privileges.
  • You can connect to the AWS Management Console.
  • Workloads are running in AWS that can generate flow logs.

For more information, go to Logging IP traffic using VPC Flow Logs in the AWS documentation.

Before you can create a ThreatSync+ NDR cloud integration with AWS VPC flow logs, you must:

Create a S3 Bucket in the AWS Management Console

In AWS, an Amazon S3 bucket is an object storage container where flow logs are stored.

To create a S3 bucket in AWS:

  1. Log in to the AWS Management Console at AWS Management Console.
  2. Search for the S3 service.

Screenshot of the S3 Service option in the AWS Management Console

  1. On the General purpose buckets tab, click Create bucket.

Screenshot of the Create bucket button in Amazon S3

  1. Enter a unique bucket name. Keep the default values for other options on this page.

Screenshot of the Create bucket section in Amazon S3

  1. Click Create bucket.

Screenshot of the created bucket in Amazon S3

  1. Copy the bucket name and save it. You will need these values when you create an AWS VPC flow logs cloud integration in ThreatSync+ NDR.

For more information, go to Create a Bucket in the AWS documentation.

Update Bucket Permissions

ThreatSync+ NDR collects flow logs from the AWS S3 bucket. Read permissions for the bucket is required to access logs stored in the AWS S3 bucket.

To update bucket permissions:

  1. Click View Details next to the bucket you just created, or search for the bucket by name.
    The Bucket Details page opens.
  2. Select the Permissions tab.

Screenshot of the Permissions tab in an Amazon S3 bucket

  1. In the Bucket policy section, click Edit.
  2. Click Add new statement to add placeholder policy text.

Screenshot of the Edit Policy page of an Amazon S3 bucket

  1. An empty policy is created.

Screenshot of an empty policy in Amazon S3

  1. Add a policy statement that provides read-only access to the WatchGuard Cloud AWS account. Each WatchGuard Cloud region uses a different name. Select the one that corresponds to your account. Copy and paste the snippet below and replace [Bucket Name] with the name of your bucket.

WatchGuard Cloud requires read-only permissions for ListBucket and GetObject.

Copy 
{

                "Sid": "AllowBucketReadToNDR",

                "Effect": "Allow",

                "Principal": {

                    "AWS": "arn:aws:iam::939669539178:role/prod-us-west-2-saas-integration-IAM-Role"

                },

                "Action": [

                    "s3:GetObject",

                    "s3:ListBucket"

                ],

                "Resource": [

                    "arn:aws:s3:::[Bucket Name]",

                    "arn:aws:s3:::[Bucket Name]/*"

                ]

            }
Copy 
{

                "Sid": "AllowBucketReadToNDR",

                "Effect": "Allow",

                "Principal": {

                    "AWS": "arn:aws:iam::939669539178:role/prod-eu-central-1-saas-integration-IAM-Role"

                },

                "Action": [

                    "s3:GetObject",

                    "s3:ListBucket"

                ],

                "Resource": [

                   "arn:aws:s3:::[Bucket Name]",

                    "arn:aws:s3:::[Bucket Name]/*"

                ]

            }
Copy 
{

                "Sid": "AllowBucketReadToNDR",

                "Effect": "Allow",

                "Principal": {

                    "AWS": "arn:aws:iam::939669539178:role/prod-ap-northeast-1saas-integration-IAM-Role"
            },

                "Action": [

                    "s3:GetObject",

                    "s3:ListBucket"

                ],

                "Resource": [

                    "arn:aws:s3:::[Bucket Name]",

                    "arn:aws:s3:::[Bucket Name]/*"

                ]

            }

In this example, a snippet for WatchGuard Cloud in Japan is entered in the bucket policy:

Screenshot of a configured policy in AWS for the Japan region in WatchGuard Cloud

  1. Click Save changes.

Enable VPC Flow Logs in AWS

Configure AWS workloads to send flow logs to the S3 bucket that you created.

To configure AWS VPC flow logs:

  1. In the AWS Management Console, go to the VPC dashboard.
  2. Select the VPC you want to monitor.
  3. On the Flow Logs tab, click Create flow log.
    The Create flow log page opens.

Screenshot of the Create flow log page in the AWS Management Console

  1. In the Flow log settings section, select these options:
    1. In the Filter section, select All.
    2. In the Maximum aggregation interval section, select 10 minutes.
    3. In the Destination section, select Send to an Amazon S3 bucket. Enter the name of the Amazon S3 bucket you created.
    4. In the Log record format section, select Custom format.
    5. Select these attributes from the drop-down list in this order:

    ${version} ${account-id} ${interface-id} ${start} ${end} ${srcaddr} ${srcport} ${dstaddr} ${dstport} ${protocol} ${bytes} ${packets} ${pkt-srcaddr} ${pkt-dstaddr} ${action} ${log-status} ${vpc-id} ${subnet-id} ${instance-id} ${tcp-flags} ${type} ${region} ${az-id} ${sublocation-type} ${sublocation-id} ${pkt-src-aws-service} ${pkt-dst-aws-service} ${flow-direction} ${traffic-path}

Screenshot of the log format attributes, in order, to create flow logs in the AWS Management Console

  1. Verify that the Format preview section shows the attributes in the correct order.
  2. Click Create flow log.

For more information, go to Create a flow log that publishes to Amazon S3 in the AWS documentation.

Create an AWS VPC Flow Logs Cloud Integration

To create an AWS VPC flow logs cloud integration, you must have the Amazon S3 bucket name, account name, and VPC ID.

To add a cloud integration, from WatchGuard Cloud:

  1. Select Configure > ThreatSync+ Integrations > Cloud Integration.
    The Cloud Integrations page opens.
  2. Click Add Cloud Integration.

Screenshot of the Add Cloud Integration page for AWS VPC Flow Logs in the ThreatSync+ Integrations UI

  1. From the Cloud Service drop-down list, select AWS VPC Flow Logs.
  2. In the AWS Account ID text box, enter your AWS Account ID.
  3. In the AWS Bucket Name text box, enter your AWS bucket name.
  4. To add VPC identifiers, click Add Regions and VPC IDs.
    The Add Regions and VPC IDs dialog box opens.
    1. In the Region section, select your region.
    2. In the VPC ID section, enter one or more VPC IDs in the text box and press Enter. You can paste multiple VPC IDs, separated by commas.

Screenshot of the Add Regions and VPC IDs dialog box

  1. Click Add.
    The VPC Identifier shows in the list.

Screenshot of a successfully added VPC identifer in the ThreatSync+ Integrations UI in WatchGuard Cloud

  1. Click Next.

Screenshot of the final page of the AWS VPC Flow Logs Cloud Integration with ThreatSync+ NDR in WatchGuard Cloud

  1. Click Activate.

Screenshot of a successful cloud integration added to ThreatSync+ NDR that shows the Active status

  1. After the status changes from Initializing to Active, the cloud integration configuration is complete. It might take up to 30 minutes for the status to change to Active.
  2. To view the VPC Flow Logs Collection Status and Conversations Flow Count charts, click the cloud integration name in the Name column.

Screenshot of the AWS integration details after a successful cloud integration with ThreatSync+ NDR, Overview tab

It might take up to 90 minutes for ThreatSync+ NDR to learn your environment and start to show alerts in the Monitor menu.

Edit an AWS VPC Flow Logs Cloud Integration

You can edit an existing, active AWS VPC cloud integration to change the description, add or edit a VPC ID, or mute repeated failure notifications.

Screenshot of the AWS VPC integration details after a successful cloud integration with ThreatSync+ NDR, Settings tab

To edit an AWS VPC cloud integration:

  1. Select Configure > ThreatSync+ Integrations > Cloud Integration.
    The Cloud Integrations page opens.
  2. Click the name of the cloud integration you want to edit.
    The Cloud Integration Details page opens, with the Overview tab selected by default.
  3. (Optional) In the Description text box, edit the name of the cloud integration.
  4. Select the Mute Repeated Failure Notifications check box if you only want a single notification sent for this cloud integration when a cloud integration failure occurs.
  5. (Optional) In the AWS VPC IDs and Regions section, add or edit a VPC ID.
  6. Click Save.

Related Topics

About ThreatSync+ Cloud Integration — AWS VPC Flow Logs

About ThreatSync+ Cloud Integrations

Configure ThreatSync+