Platform logging integration with Cortex XSIAM
Introduction
The Modernisation Platform shares data with the Security Operations Cortex XSIAM application for the purpose of protective monitoring.
Categories of data shared with Security Operations
The following data is collected for Cortex XSIAM consumption:
CloudTrail logs aggregated from all Modernisation Platform accounts in the
core-logging
accountAWS Config logs aggregated from all Modernisation Platform accounts are stored centrally in the
core-logging
account.Network Firewall
"Alert"
Logs based incore-network-services
Route53 Resolver Query Logs for
live_data
VPCs based incore-*
accountsVPC Flow Logs
- for the
external_inspection
VPC based incore-network-services
- for
live_data
VPCs based incore-*
accounts
- for the
SecurityHub, GuardDuty and Inspector findings from all MoJ AWS accounts aggregated in the
organisation-security
accountOrganizations data based in the
moj-master
account
Log delivery methods
S3
- VPC Flow Log data is pulled from the
core-logging-vpc-flow-logs
S3 bucket in thecore-logging
account. - Route 53 Resolver Query Log data is pulled from the
core-logging-r53-resolver-logs
S3 bucket in thecore-logging
account. - Cloudtrail log data is pulled from the
modernisation-platform-logs-cloudtrail
S3 bucket in thecore-logging
account. - AWS Config log data is pulled from the
modernisation-platform-logs-config
S3 bucket in thecore-logging
account.
Data Firehose
- The Cortex XSIAM application receives Network Firewall
alert
logs by way of an Amazon Data Firehose configured in thecore-network-services
account.
IAM Users
XsoarIntegration
andXsiamIntegration
IAM users based in themoj-master
andorganisation-security
accounts to enable the AWS Organizations and AWS Security Hub Event Collector integrations
IAM Role/CloudFormation
- Cloud Inventory Data is shared with Xsiam using roles deployed into each AWS account in the organization using a CloudFormation StackSet based in the
organisation-security
account
Known Contacts:
Vinnie Burtonshaw - Vincent.Burtonshaw@justice.gov.uk. Implements the Cortex Xsiam endpoints that receive the Firehose transfers. (https://www.paloaltonetworks.com/cortex/cortex-xsiam)
The Protective Monitoring Team who will be managing the Cortex Xsiam platform going forward - monitoring-and-integration-platform@justice.gov.uk