Uploading Audit Trails to Managed Service for OpenSearch
Today, we’ll talk about how to set up the Audit Trails service to upload audit logs to Managed Service for OpenSearch and how to apply pre-configured security event response rules.
March 6, 2023
7 mins to read
The scenario we’ll look at next will be useful to IS professionals. We will demonstrate how to configure audit log uploads from Audit Trails in a few simple steps, utilizing Data Streams and Data Transfer services, and selecting Managed Service for OpenSearch as your SIEM system for analyzing logs and responding to security events.
Create the first data trail to be uploaded to Data Streams. To make it easier to upload objects from the Security Content library, name the stream “audittrails.”
Deploy a cluster using Managed Service for OpenSearch.
Configure the Source endpoint of the Data Transfer service with Data Streams as the source. Make sure to select the AuditTrails.v1 parser option in the settings (Advanced settings → Conversion rules).
Configure the Receiver endpoint in the Data Transfer service using Managed Service for OpenSearch as the receiver. Before importing data into the OpenSearch cluster, create a user with limited access and specify their details.
We’ve set up two endpoints. To enable data transfer between them, click the Activate button.
All done! The data transfer is in progress.
If you’re looking for a more advanced method to move Audit Trails logs to OpenSearch, you can also use S3 and automation scripts from the Yandex Cloud Security Solution Library.
Check that the data was loaded into OpenSearch successfully.
In the OpenSearch cluster’s web interface, open the Global tenant. Create an index pattern containing the “audittrails*” string. The index into which the data from Audit Trails is loaded will be named “audittrails” after the data stream’s name in Data Streams.
Your Audit Trails data will appear in the Elastic Common Schema format on the Discover tab.
Go to the auditlogs/export-auditlogs-to-Opensearch/update-opensearch-scheme/include/audit-trail folder and run the following command:
cd yc-solution-library-for-security/auditlogs/export-auditlogs-to-Opensearch/update-opensearch-scheme/content-for-transfer/.
In the OpenSearch console, go to Stack management → Saved Objects → Import and import the dashboard.ndjson, filters.ndjson, search.ndjson files.
Open the dashboard.
In the Discover section, go to the Open tab and enter the query Search: Yandexcloud: Yandexcloud: Interesting fields. The columns contain events that can be filtered.
Alerts can be set up in OpenSearch. To save time when parsing the format for writing the monitor entity, we have prepared a sample code that you can simply copy into the monitor creation window. You can also use the example of creating a trigger action by specifying the event fields.
Feel free to modify our service to your needs and contact us if you have any questions or concerns.
Alexey Myrtov
Head of the Security & Compliance Product Architecture Team.