Integrations


AWS

DefenseStorm supports integration with AWS by supporting Cloud Trail & ELB and S3 Log integration. See the instructions in this article on how to setup communication between DefenseStorm and AWS depending on the Amazon Web Service. 

CloudTrail & ELB

DefenseStorm watches and alerts on parts of AWS that, based on the shared responsibility model, Amazon expects you to monitor. For example:

  • Operating system
  • Network configurations
  • Applications 
  • Access management 

CloudTrail is an Amazon web service that provides visibility into user activity by recording API calls made on your account and delivers log files to an Amazon S3 bucket.  This information helps you track changes made to your AWS resources and to troubleshoot operational issues. If you are using AWS, it is recommended that CloudTrail be enabled. 

The DefenseStorm GRID ingests ELB access logs that capture detailed information about requests sent to the load balancer. Perform the following steps to setup the AWS features through the DefenseStorm UI.

  1. Go to Settings > Integrations and select the Amazon Web Services icon.
  2. Input your Amazon Web Services Account information and select Create.
  3. Connect CloudTrail to DefenseStorm by selecting the gear icon on CloudTrail and follow the instructions displayed.
  4. Connect your AWS ELB to DefenseStorm by selecting the gear icon on Elastic Load Balancing, and then following the instructions displayed. 


S3 Logs

Registering the S3 Log Bucket with DefenseStorm

  1. Go to DefenseStorm GRID > Settings > Integrations > AWS (If an AWS Account is not registered with DefenseStorm, fill out the dialog box to do so.) 
  2. Click on S3 Log Sources.
  3. Click on the [+] button > provide the bucket name > optionally the IAM role that DefenseStorm uses to read from the bucket.


Granting DefenseStorm Read Permission

The customer has two options, granting read permission directly on the bucket and its contents, or creating an IAM Role that DefenseStorm can assume.

1. Granting Permission on the Bucket

  1. Open the AWS Console > S3 from the Services dropdown > Click on the appropriate bucket from the list
  2. Go to the "Permissions" tab > "Bucket Policy"
  3. Paste this into the text field. Replace all instances of <YOUR-BUCKET-NAME> with the name of your bucket, and save.
    Note: If the bucket already has a policy on it, the administrator should instead append the two objects in the "Statement" list to the existing list of policy statements.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DefensestormListS3",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<YOUR-BUCKET-NAME>"
            ],
            "Principal": {
                "AWS": "arn:aws:iam::213533855010:root"
            }
        },
        {
            "Sid": "DefensestormGetS3",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::<YOUR-BUCKET-NAME>/*"
            ],
            "Principal": {
                "AWS": "arn:aws:iam::213533855010:root"
            }
        }
    ]
}


2. Creating a Cross-Account Role

Creating the Policy
  1. Log into IAM in the AWS Console > Click on Policies in the right-hand bar > Click the Create Policy button> Click on the JSON tab 
  2. Paste the below text into the text box.
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "DefensestormListS3",
                "Effect": "Allow",
                "Action": [
                    "s3:ListBucket"
                ],
                "Resource": [
                    "arn:aws:s3:::<YOUR-BUCKET-NAME>"
                ]
            },
            {
                "Sid": "DefensestormGetS3",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": [
                    "arn:aws:s3:::<YOUR-BUCKET-NAME>/*"
                ]
            }
        ]
    }
  3. Click Review Policy.
  4. Give the policy a name and description of your choice, and click Create Policy.


Creating the Role
  1. Log into IAM in the AWS Console.
  2. Click on Roles in the right-hand bar.
  3. Click the Create Role button.
  4. Select Another AWS account
  5. Paste 213533855010 into the Account ID box
  6. Check the Require external ID checkbox
  7. Paste <CUSTOMER_ORG_ID> into the External ID box
  8. Click Next:Permissions
  9. Select the policy created above from the policies list
  10. Click Next: Tags. Apply any tags of your choice.
  11. Click Next: Review. 
  12. Give the role a name and description of your choice, and click Create role


Creating the SNS Topic
  1. Open Simple Notification Service (SNS) in the AWS Console.
  2. Click "Create Topic" 
    1.   Topic Name: Any
    2. Display Name: leave blank
  3. In this topic, click "Create Subscription"
    1. Protocol: SQS
    2. Endpoint: arn:aws:sqs:us-west-2:213533855010:prod-<CUSTOMER_ORG_ID>-syslog
      Once this subscription is created, the "Subscription ID" should say "Pending Confirmation." Wait a few seconds, then click the refresh button. It should now have an "arn" value.
  4. Modify this Topic's policy to allow SQS to log to it
    1. Other Topic Actions -> Edit Topic Policy -> Advanced View. In the Statement block, add:
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "s3.amazonaws.com"
        },
        "Action": "SNS:Publish",
        "Resource": "<THIS-SNS-TOPIC-ARN>",
        "Condition": {
          "ArnLike": { "aws:SourceArn": ["arn:aws:s3:*:*:<CUSTOMER_BUCKET_1_NAME>", ...] }
        }
      }


Enabling Logging on the Bucket

If the customer wants to ingest all files created in the bucket, but not all, they will have to repeat step 5 for each path prefix that they want to log. Note that AWS prohibits two notification rules that cover the same events, so the customer will have to be careful when creating these filters.

  1. Open S3 in the AWS Console
  2. Select your bucket.
  3. Select Properties
  4. Click on Events
  5. Click on "Add notification"
    1.  Name: Any
    2.  Events: "All Object create events"
    3.  Prefix: Path that you want to log for, or none if you want to log all events saved to this bucket
    4.   Send to: SNS Topic
    5. SNS: select your newly created SNS topic

Open DNS

OpenDNS

OpenDNS offers network security by reviewing all of your employee network connections on or off the corporate network. Since DefenseStorm is a layer that can “see everything”, we correlate the events OpenDNS captures when users leave the corporate network with the rest of your corporate network. 

Use of this integration requires an "Insights" or "Platform"  OpenDNS subscription; the "Professional" subscription level is incompatible, due to lacking the log export feature below:

  • Retain logs with Amazon Web Services integration using customer-managed or Cisco-managed S3 bucket (source: https://umbrella.cisco.com/products/packages)
  • To enable the OpenDNS functionality, contact DefenseStorm for assistance.

Office 365

Office 365

Adding Office 365 services is as easy as adding a cloud app. To avoid creating multiple passwords, the administrator uses their Active Directory (AD) credentials to setup Office 365 integration and ingestion of logs. Integration with Office 365 supports the following activities:

  • File and folder
  • Sharing and access request
  • Synchronization
  • Site administration
  • Exchange mailbox
  • User administration
  • Group administration
  • Application administration
  • Role administration
  • Directory administration
  1. Go to Settings > Integrations > Office 365 icon > and select the option to Add Office 365 Account. Follow instructions displayed.
  2. Once you have selected the link and followed the steps provided by Microsoft, all that’s left is to give your Office 365 account a display name. You are redirected back to the DefenseStorm console, where you see the following:
  3. After the display name is added, a message displays saying that you have successfully integrated with Office 365. Note: Auditing on Exchange Mailboxes is off by default.