Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »


Wazuh is a Host-based Intrusion Detection service provided by CloudAware via Kibana platform user interface. Wazuh is available via CloudAware Launcher.


This article explains how Cloudaware capabilities should be deployed to improve AWS security, mitigate risks associated with operating cloud-based computing infrastructure, address compliance and change management.

Audience

  • Security Engineers
  • Cloudaware Engineers
  • Chief Security Officers
  • Compliance Officers
  • AWS Cloud Engineers
  • Cloud Operations Teams


HIDS Server Deployment Options


Cloudaware HIDS solution consists of three parts:

  • IDS Agent
  • IDS Server(s)
  • IDS Dashboard


Agents are deployed onto every host where Intrusion Detection capabilities are desired. IDS Servers are managed by CloudAware if a customer is using Managed IDS option.

Optionally, customers can deploy their own IDS servers. IDS dashboard is part of the CloudAware and all IDS servers report into the dashboard. There are two ways to deploy CloudAware IDS services.


Managed IDS


Using Managed IDS deployment option, customers leverage IDS servers that are managed by CloudAware.

    

Advantages

Disadvantages

  • Hassle free operations
  • Customers do not need to worry about IDS Server's 
    • availability
    • patching
    • performance
    • costs
    • scalability
    • maintenance
Not able to deploy common OSSEC customizations without involving CloudAware support.


Customer Managed IDS


Under this approach customers maintain their own set of IDS servers and are responsible for many operational aspects including backup, disaster recovery and availability. CloudAware recommends one IDS server per 500 agents and that IDS servers are deployed in the same region as agents. 


Customers may also choose to deploy a hybrid approach where some agents use CloudAware-managed IDS servers and some agents user customer-managed IDS servers. 


IDS Status


If Intrusion Detection module is deployed, the tile 'IDS status' on an instance may display 3 values:

  • Monitored
  • Not monitored
  • Under Attack



 


Once in the main tab, Cloudtrail data be searched for specific object using the search box.
 
Additional events can be filtered by type. For example if we wanted to only events that were either change, create or delete events, performed by a certain user, we could this as shown below.
 



While looking at any object in CMDB, user can click on Show Cloud CloudTrail button to view relevant Cloudtrail events.
 

Similarly if we are looking at an IAM user in CMDB, we can very quickly see what are the recent AWS activities of this user by clicking on CloudTrail tab in the IAM User Object.


Reports


Another powerful way in which CloudTrail events can be utilized is via Cloudaware Reports. Cloudaware come with a powerful report builder where we can zoom in specific CloudTrail events that meet our criteria. Reports can be scheduled, emailed, and converted to dashboards. Here is an example of a Daily Digest Report that summarizes all important changes throughout the day.




More information about building reports in Salesforce is available here and here.

  • No labels