Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trimmed protective monitoring runbook #8225

Merged
merged 1 commit into from
Oct 9, 2024
Merged

Trimmed protective monitoring runbook #8225

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 20 additions & 17 deletions source/runbooks/integration-with-protective-monitoring.html.md.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
owner_slack: "#modernisation-platform"
title: Sharing of Platform Operational Data with Security Operations via AWS Data Firehose
last_reviewed_on: 2024-06-13
title: Platform logging integration with Cortex XSIAM
last_reviewed_on: 2024-10-09
review_in: 6 months
---

Expand All @@ -18,35 +18,38 @@ review_in: 6 months

## Introduction

The Modernisation Platform shares data from a number of sources with the Security Operations team's Cortex Xsiam platform for purpose of the protective monitoring of the platform and the applications hosted on it.
The Modernisation Platform shares data with the Security Operations Cortex XSIAM application for purpose of the protective monitoring.

## Categories of data shared with Security Operations

The data is shared using AWS Data Firehose for the following categories of data:
The following data is collected for Cortex XSIAM consumption:
- `core-logging` Aggregated Cloudtrail log data from all Modernisation Platform accounts.

- Managed member account VPC Flow Log Data via cloudwatch logs.
- Network firewall inspection log data for live, non-live and external.
- VPC flow log data for the three network firewall vpcs.
- VPC flow log data for core-shared-services, core-logging and core-security.
- `core-network-services` Network Firewall `alert` logs.

One exception is Cloudtrail log data in S3 held in the core-logging account. This is accessed by a Cortex Xsiam plugin for S3 using SQS that has events published via an Event Notification resource. The plugin uses an IAM user account to access the core-logging account.
- `core-vpc-production` Route53 Resolver Query Log data.
- `core-*` Route53 Resolver Query Log data `live_data` VPCs.

## Terraform Source
- `core-network-services` VPC Flow Log data for the `external_inspection` VPC.
- `core-vpc-production` VPC Flow Log data.
- `core-*` VPC Flow Log data for `live_data` VPCs.

The terraform for these Data Firehose & associated resources can be found here:
## Log delivery methods

- Managed member account VPC flow log data - https://github.com/ministryofjustice/modernisation-platform/blob/b629292a791bd8ce99b6bff6e0ddd888953cb76a/terraform/environments/core-vpc/vpc.tf#L85
The Cortex XSIAM application consumes data using S3 as a preferential source from the following:
- VPC Flow Log data is pulled from the `core-logging-vpc-flow-logs` S3 bucket in the `core-logging` account.
- Route 53 Resolver Query Log data is pulled from the `core-logging-r53-resolver-logs` S3 bucket in the `core-logging` account.
- Cloudtrail log data is pulled from the `modernisation-platform-logs-cloudtrail` S3 bucket in the `core-logging` account.

- Cloudtrail log data - https://github.com/ministryofjustice/modernisation-platform/blob/main/terraform/environments/core-logging/sqs.tf

Each Data Firehose resource has an endpoint & key that is obtained from a common AWS Secrets Manager resource held in the Modernisation Platform account called "xsiam_secrets" for vpc flow logs, firewall logs and r53 resolver logs.
The Cortex XSIAM application receives Network Firewall `alert` logs by way of an Amazon Data Stream configured in the `core-network-services` account.

## Known Maintenance Requirements

- The user access key for the IAM account needs to be rotated every 6 months and the new value shared with the SecOps team. See the runbook page for [Rotating Secrets](rotating-secrets.html) for further information.
- While an access key and secret key are currently in use, we have prepared an AWS IAM role that the Cortex application can assume so that we can retire the keys.
- This role - `cortex_xsiam*` - is available in the `core-logging` account and has the same IAM policy as the `cortex_xsiam` user.

## Known Contacts:

- Leonardo Marini - Leonardo.Marini@justice.gov.uk. Contractor who implements the Cortex Xsiam endpoints that receive the Firehose transfers. (https://www.paloaltonetworks.com/cortex/cortex-xsiam)

- The Protective Monitoring Team who will be managing the Cortex Xsiam platform going forward - monitoring-and-integration-platform@justice.gov.uk
- The Protective Monitoring Team who will be managing the Cortex Xsiam platform going forward - monitoring-and-integration-platform@justice.gov.uk