Why is it important for Threat Hunting?
AWS logs provide unique and crucial visibility into the activities and resources in an organization’s AWS environment.
As Cloud environments are vastly different from regular on-prem environments, many classic security products and auditing and logging mechanisms do not exist anymore in the Cloud environment as they were, which make the multiple logging mechanisms of AWS all the more important for defending an organization’s AWS environment.
Supported data types
- AWS CloudTrail: logs (under the right configuration) each and every API call done in your environment, whether by a user or by system, in the AWS web console or programmatically. This datasource is required for all the detections in the AWS control plane.
- AWS Config: which (under the right configuration) records and snapshots the configuration of each and every resource in your environment, is required for adding context to automatic investigations of threat signals detected in the control plane or data plane.
- AWS VPC Flow Logs: are the equivalent of firewall logs in the Cloud environment, and enable detections on the network level of the virtual network in the AWS environment.
- AWS WAF Logs
See Creating dataflow for how to ingest these data types into Hunters.