CLOUD CONNECTOR

AWS CloudWatch

AWS CloudWatch publishes, monitors, and manages various metrics, as well as allows for the configuration of alarm actions to enable automatic action on changes in the AWS environment. 

Securonix integrates with the AWS CloudWatch API for context enrichment, alert integration for threat chaining and identification of AWS account compromise threats, network and cloud threats, as well as insider threat events.

Audit Source (API)/Service Module Covered Event Types Related Threats Details
CloudWatch Logs Create/Delete Log Group/Log Stream, Create/Cancel Export Task, Get Log Events, Delete Metric Filters, Associate/Disassociate KMS Key, Describe Log Groups/Log Streams/Metric Filters/Destinations/Export Tasks/Queries/Query Definitions, Get Log Record, Start/Stop Query AWS Account Compromise, Network Based Threats, Cloud Based Threats, DDoS, Insider Threats Monitor, store and access system, application, and custom log files
CloudWatch Add/Delete/Get/List/Put Alarms, Insight Rules, Dashboards, Anomaly Detectors, Metrics, Resource Tags, Metric Statistics, Tag/Untag Resource, Enable/Disable Alarm Actions/Insight Rules AWS Account Compromise, Network Based Threats, Cloud Based Threats, DDoS, Insider Threats Publish, monitor, and manage various metrics, as well as configure alarm actions based on data from metrics to enable automatic action on changes in the AWS environment