Quick Start Security for Amazon CloudWatch
Thank you!
We got your information.
Amazon CloudWatch
Amazon CloudWatch is a monitoring and observability service. CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, and optimize resource utilization.
CloudWatch collects monitoring and operational data in the form of logs, metrics, and events.
This extension pack alerts on changes to Cloudwatch as log group, stream or alert deletion.
Coralogix Extension For Amazon CloudWatch Includes:
Alerts - 7
Stay on top of Amazon CloudWatch key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
A Log Stream has been deleted
A log stream is a sequence of log events that share the same source. A deletion of a log stream should be validated. Impact A deletion of a log stream can be an attacker evasion technique to hide malicious actions he has committed. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple log streams. MITRE Tactic: TA0005 MITRE Technique: T1562
An alarm has been disabled
Cloudwatch alarms are designed to inform the user of any anomalous activity as defined by the user. It could encompass different AWS services and alert on any measurable metric offered by CloudWatch. Impact Disabling of an alarm can be an attacker evasion technique to hide his malicious activities by preventing the user from receiving alerts. Mitigation Verify that disabling the alert was intentional and authorized and investigate further if not. Take note of the disabling of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562
An alarm has been deleted
Cloudwatch alarms are designed to inform the user of any anomalous activity as defined by the user. It could encompass different AWS services and alert on any measurable metric offered by CloudWatch. Impact Unauthorized deletion of an alarm can be an attacker evasion technique to hide his malicious activities by preventing the user from receiving alerts. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562
A log group has been deleted
A log group is a group of log streams that share the same retention, monitoring, and access control settings. A deletion of a log group should be validated. Impact A deletion of a log group can be an attacker evasion technique to hide malicious actions he has committed. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple log groups. MITRE Tactic: TA0005 MITRE Technique: T1562
A rule has been deleted
Cloudwatch events / EventsBridges rules are designed to match incoming Cloudwatch events and Route them to specific AWS resources for processing. Events can trigger actions on multiple other AWS services (as Lambda, EC2, Batch jobs etc.). Impact Unauthorized deletion of a rule can be an attacker evasion technique to hide his malicious activities by preventing the system from triggering required actions on different services. Mitigation Verify that the deletion was intentional and authorized and investigate further if not. Take note of deletion of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562
A rule has been disabled
Cloudwatch events / EventsBridges rules are designed to match incoming Cloudwatch events and Route them to specific AWS resources for processing. Events can trigger actions on multiple other AWS services (as Lambda, EC2, Batch jobs etc.). Impact Disabling of an alarm can be an attacker evasion technique to hide his malicious activities by preventing the system from triggering required actions on different services. Mitigation Verify that disabling the alert was intentional and authorized and investigate further if not. Take note of the disabling of multiple alarms altogether. MITRE Tactic: TA0005 MITRE Technique: T1562
No Logs From Amazon CloudWatch
'Summary This rule detects if there are no logs for Amazon CloudWatch in the customer account. Note- This alert should configured with relevant app & subsystem. Define timeframes/conditions that directly align with business objectives. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562'
Integration
Learn more about Coralogix's out-of-the-box integration with Amazon CloudWatch in our documentation.