Most operating systems, firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) are capable of emitting events via Syslog. The purpose of this project is to provide a sample AWS Cloud Development Kit (CDK) project to create all the necessary resources for you to receive streaming Syslog events, parse and transform these events to AWS Security Finding Format (ASFF), and lastly ingest these events as findings in AWS Security Hub.
This project includes a sample Syslog event from The Dragos Platform for testing purposes, and a custom AWS Lambda function for parsing and transforming Dragos events. Dragos is an industrial (ICS/OT/IIoT) cybersecurity company on a mission to safeguard civilization and is an AWS technology partner and member of the AWS Partner Network.
This sample is provided for demonstration purposes only, to serve as a starting point to help you customize for your source systems. A basic understanding of Syslog and how the source system emitting Syslog events maps its fields to Syslog Common Event Format (CEF) is necessary for customization of this project.
This project has a forthcoming blog which will provide greater detail regarding this solution.
In order to get started, you will need an AWS account, preferably free from any production workloads. Ensure AWS Security Hub is enabled in the AWS Region where you plan to deploy the solution. To eliminate the need to setup IAM permissions and install pre-requisites, we recommend using AWS Cloud9.
AWS Cloud9 is a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser. Cloud9 comes pre-configured with all the pre-requisites required for this project, such as git, npm, and AWS Cloud Development Kit (CDK).
To get started, create a Cloud9 environment from the AWS console. Provide the required Name, and accept the remaining default values. Once your Cloud9 environment has been created, you can open the IDE and access a terminal window.
From a terminal window, you will need to clone the GitHub repo, install packages, build, and deploy the CloudFormation templates. Issue the following commands in a terminal window in Cloud9. By default, the AWS CDK will prompt you to deploy changes. If you want to skip confirmations, add the following command line option to the AWS CDK commands below.
--require-approval never
git clone https://github.com/aws-samples/streaming-syslog-to-aws-security-hub-sample
cd streaming-syslog-to-aws-security-hub-sample
cdk bootstrap
npm install
cd src/lambda-syslog
npm install
cd ../..
npm run build
cdk deploy
Once the CDK deployment process has completed, you can open AWS Security Hub Console Findings page to search for Findings with a Title that starts with DRAGOS. If successful, you should find a Finding with the Title DRAGOS: Test Message from Dragos App.
To cleanup, you can simply issue the following command from your Cloud9 terminal window.
cdk destroy
This library is licensed under the MIT-0 License. See the LICENSE file.