SIEM connector for Yandex Cloud

With SIEM connector for Yandex Cloud, you can collect audit logs from Yandex Cloud resources and deliver them to the SIEM system deployed in the organization infrastructure. The event data is sent in CEF format over the syslog protocol. You can use this data to monitor Yandex Cloud service operation, as well as to detect and analyze information security incidents.

1. Configure uploading audit logs uploads to Object Storage.

2. Create an IPSec VPN tunnel between the cloud network and the corporate one. For detailed information, see the Tutorial on deploying a SIEM connector for Yandex Cloud (in Russian).

3. Get an SSH key pair to connect to a virtual machine (VM).

4. Create a VM from a public image. Under Image/boot disk selection, go to the Cloud Marketplace tab and select SIEM connector for Yandex Cloud. Under Access:

   • Enter the username in the Login field.
   • Paste the contents of the public key file in the SSH key field.

   Save the VM public IP address.

5. Connect to the VM over SSH. Use the username you provided when creating the VM, as well as the private key.

6. Mount the bucket with audit logs to the VM’s file system using s3fs:

7. To set up the SIEM connector, run this command:

   sudo /home/agent/yc_agent/agent agentsetup
   

8. To create a new configuration, enter 1 (create new config).

9. Select the configuration component: 3 (jsonfolderfollower).

10. Install the sources for audit logs:

    1. Enter 1 (Add, modify, or remove sources).
    2. Select A (Add) and set the parameters for the sources:
       • In the config file field, enter yc.
       • In the folder field, specify the path to the mounted bucket with audit logs, e.g., /home/agent/logs/.
       • In the wildcard field, enter the *.json log mask.
       • In the mode field, specify what to do with logs once they have been processed on the VM: D (DeleteFile) or R (RenameFile).
       • In the process folders recursively field, type Y(Yes).
    3. Double-check the specified parameters and type F (Finish).

11. Set the destination for audit logs:

    1. Enter 2 (Add, modify, or remove destinations).
    2. Select A (Add) and set the parameters for the destination:
       • In the Destination type field, enter 0 (cefsyslog).
       • In the Host field, enter the IP address of the server where you installed the SIEM system syslog connector in your corporate network.
       • In the Port field, specify 514.
       • In the Protocol field, specify UDP.
    3. Double-check the specified parameters and type F (Finish).

12. Start the SIEM connector:

    1. Enter 3 (Install as a service).
    2. To change the service name and description, at the Change service name/description prompt, type Y (Yes) and set the new parameters:
       • In the Service name [inforter_agent_jsonfolderfollower] field, enter the new name for the service.
       • In the Description [inforter_agent_jsonfolderfollower] field, enter the new service description.
    3. At the Starting the service at startup prompt, type Y (Yes).

13. To exit the configuration menu, type 0 (Exit).

• Cloud resource monitoring.
• Detecting information security incidents.
• Event analysis:
  • Creating VMs.
  • Adding external network interfaces for existing VMs.
  • Adding a public IP address for existing VMs.
• Monitoring of access key management.

ATB
ATB provides paid technical support for SIEM connector users in Yandex Cloud. You can contact technical support:

• By phone: +7 (499) 648-75-48.
• By email: info@ast-security.ru.

Yandex Cloud
Yandex Cloud does not provide technical support for this product. If you have any issues, please refer to the respective developer’s information resources.