Platform logging integration with Cortex XSIAM
Introduction
The Modernisation Platform shares data with the Security Operations Cortex XSIAM application for purpose of the protective monitoring.
Categories of data shared with Security Operations
The following data is collected for Cortex XSIAM consumption:
- core-logging Aggregated Cloudtrail log data from all Modernisation Platform accounts.
core-network-servicesNetwork Firewallalertlogs.core-vpc-productionRoute53 Resolver Query Log data.core-*Route53 Resolver Query Log datalive_dataVPCs.core-network-servicesVPC Flow Log data for theexternal_inspectionVPC.core-vpc-productionVPC Flow Log data.core-*VPC Flow Log data forlive_dataVPCs.
Log delivery methods
The Cortex XSIAM application consumes data using S3 as a preferential source from the following:
- VPC Flow Log data is pulled from the core-logging-vpc-flow-logs S3 bucket in the core-logging account.
- Route 53 Resolver Query Log data is pulled from the core-logging-r53-resolver-logs S3 bucket in the core-logging account.
- Cloudtrail log data is pulled from the modernisation-platform-logs-cloudtrail S3 bucket in the core-logging account.
The Cortex XSIAM application receives Network Firewall alert logs by way of an Amazon Data Stream configured in the core-network-services account.
Known Contacts:
Leonardo Marini - Leonardo.Marini@justice.gov.uk. Contractor who implements the Cortex Xsiam endpoints that receive the Firehose transfers. (https://www.paloaltonetworks.com/cortex/cortex-xsiam)
The Protective Monitoring Team who will be managing the Cortex Xsiam platform going forward - monitoring-and-integration-platform@justice.gov.uk