My goal is to create a security alert, based on an AWS event. I've configured a trail+log group, a metric (based-on an event filter) and a cloudwatch alarm configured to send a notification. Issue is I cannot see a way to include event details in the generated notification. As-such, the notification is only good for alerting the receipient that the event occurred. To gain essential insight, an admin would still need to go sift through logs to find details (the notification doesn't even carry a helpful link to the event. Only to the alarm).
What is then the recommended solution for this requirement?
While CloudWatch alarms don't directly include event details in notifications, here are two effective approaches to achieve this:
Create an EventBridge Rule: Trigger on the specific CloudWatch alarm transitioning to the ALARM state. Set a Lambda Function as the Target: The Lambda function will be invoked when the alarm triggers. Implement Logic in the Lambda Function: Retrieve relevant event details from CloudTrail logs using the AWS SDK for JavaScript (or your preferred language). Construct a custom notification message incorporating those details. Send the customized notification using Amazon SNS or another preferred method (e.g., email, Slack). 2. Utilizing a Third-Party Security Information and Event Management (SIEM) Tool:
Ingest CloudTrail Logs into the SIEM: Configure the SIEM to receive and process CloudTrail logs. Create Custom Alerts and Notifications: Define specific rules and conditions within the SIEM to generate alerts based on desired events. Configure the SIEM to include relevant event details in the alert notifications. Key Considerations:
Cost: Using a Lambda function incurs costs based on execution time and memory usage. Third-party SIEM tools often have licensing fees. Complexity: Implementing a Lambda function involves development effort. SIEM tools offer pre-built integrations and rule sets, but configuration can be complex. Integration Capabilities: Evaluate how each option aligns with your existing monitoring and incident response workflows. Additional Recommendations:
Include Helpful Links in Notifications: Even if full event details aren't embedded, provide links to CloudTrail logs or the SIEM console for quick access. Consider Centralized Logging: For broader visibility and correlation, aggregate logs from multiple sources into a centralized SIEM or log management solution. Regularly Review and Refine Alerts: Ensure alerts are tailored to your specific security needs and adjust them as your environment evolves.