In this installment of the Tips and Insights series, Fayyaz Rajpari explains how to use FireEye Helix to retrieve API call history using AWS CloudTrail and VPC flow logs in your AWS environment.
Hi my name is Fayyaz Rajpari, and I’m a Solutions Architect at FireEye. In this video I’d like to share a tip on how to monitor your AWS environment in FireEye Helix. With AWS CloudTrail and VPC flow logs, you can monitor your AWS environment by getting a history of all API calls. CloudTrail is turned on by default in AWS. You may want to check your AWS account ahead of time to verify this is enabled and also be sure you’ve assigned them to go to the S3 buckets of choice. Once complete, you can check in Helix by simply searching for class AWS * and then group by class. What that’s going to give me is it’s going to provide me all of the AWS specific logs and show me specifically which types of AWS logs are coming into my instance. So you can see here on the left you’ve got aws_cloudtrail, aws_vpc_flow and aws_elb. So specifically we’re going to go into aws_cloudtrail logs and take a look at what that provides us. So I’ll go ahead and click search, and remember we can choose the amount of days we want to search for CloudTrail. In this scenario, I’m just leaving the default for past 7 days and it provided me all of my AWS CloudTrail logs. So AWS CloudTrail provides me information on specific API calls that have been made within the environment in monitoring against my AWS instance. So furthermore, what I want to do is I want to look at specific actions that were made by those logs so I can do a Group by Action, Group by Field and that will give me detailed information on specifically what actions were created within CloudTrail. Table these results, got a better view here. And, here it is. The next thing I want to do is I want to go back and look at the VPC Flow log. So we’re going to do AWS * group by class. And we want to look at the aws_vpc_flow logs. So we’ll do another search on VPC flow. So what VPC flow provides is it will give you information related to net flow type of information in the AWS network for your specific instance. So you can tell you’ve got IP-related information for destination, destination port, source IP and source port, and we can further get more details by clicking on the geo location or the geotag to get additional geolocation here as well. This provides an analyst great visibility into specifically what type of network flows are coming in the environment and going outside of the environment. So I’ll do additional pivots here to get more details on the source location in the tool location. So we’ll do ‘group by’ on here. So let’s just do the source country, we’ll do group by on source country and then we’ll do a group on a destination country. And there we got information on the source countries and destination countries. Furthermore what you can do is just end it off with dashboards and we’ll jump into dashboard. We’ve already had some created in here around specifically on AWS to give more clarity on what type of visibility the AWS specific services can provide from a monitoring perspective. So what you could see here is that we’ve expanded on those searches and built specific dashboards to provide a connectivity for AWS CloudTrail giving you actions that were made within AWS. Top 10 block sources showed the reject actions and grouped them by source IP, and additionally, we can also do other things like console log on. So this one specifically is around AWS CloudTrail console logons and group them by the username, source region, source country, and give me the count on them. And lastly some specific infrastructure alerts also coming from the AWS CloudTrail logs. So that concludes our look into AWS Monitoring with Helix. Now you have a better eye on what action is being taken and by whom in your cloud environment. Check back for more product tips and insights from FireEye.