AWS Prerequisites
Introduction
The AlphaSOC Analytics Engine (AE) can be run on-premise locally within your environment, or consumed as a SaaS cloud service by which AlphaSOC runs a multi-tenant version of AE. The differences between the cloud and on-premise deployment models are described in the Architecture page within the documentation. The AE on-premise installation steps are described in the On-Premise Installation Guide.
This document will walk through the process of S3 bucket, SNS topic and SNS subscription creation and configuration for use by AE. Please note that these sections have variable instructions depending on whether this is an AlphaSOC AE Cloud or an AlphaSOC AE On-Premise configuration.
The following bucket and topic names will be used:
- S3 bucket: ae-s3-bucket-1
- SNS topic: ae-sns-topic
Note that the below steps will show examples using the AWS console. CLI/API use is beyond the scope of this guide.
Detailed instructions for S3 and SNS can be found in the links below.
- Create or use an existing S3 bucket to store the logs
- Create an SNS topic to notify when new logs are written to the S3 bucket
AlphaSOC AE On-Premise Telemetry Processing Path
New telemetry, arriving at the designated S3 bucket, will trigger bucket create events. These events are published to the designated SNS topic, and notify AE that new telemetry is available for processing. AE then pulls the telemetry directly from the S3 bucket, analyzes it, and delivers any detections to the configured destination endpoints. Please see the diagram below.
SNS Topic Creation
Navigate to Amazon SNS > Topics, then click Create topic
In the creation dialog, selct Standard as the type, give the topic a name, and under Access policy select the Advanced option to make use of the JSON editor.
IMPORTANT: Depending on whether this is an AlphaSOC AE Cloud or an AlphaSOC AE On-Premise configuration, modify the access policy accordingly per the sections below.
AlphaSOC AE Cloud Configuration
Replace the contents of the JSON editor with the below, taking note to replace <AWS_ID> with an appropriate account ID, and <AWS_REGION> with the region where you are creating this SNS topic. Lastly, set the aws:SourceArn with the S3 bucket name you plan to create/designate for log storage.
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Publish",
"SNS:RemovePermission",
"SNS:SetTopicAttributes",
"SNS:DeleteTopic",
"SNS:ListSubscriptionsByTopic",
"SNS:GetTopicAttributes",
"SNS:AddPermission",
"SNS:Subscribe"
],
"Resource": "",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "<AWS_ID>"
}
}
},
{
"Sid": "Publish from S3",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:<AWS_REGION>:<AWS_ID>:ae-sns-topic",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:ae-s3-bucket-1"
}
}
},
{
"Sid": "AlphaSOC subscribe",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:Subscribe"
],
"Resource": "",
"Condition": {
"StringLike": {
"SNS:Endpoint": "@api.alphasoc.net"
}
}
}
]
}
Finally, click Create topic.
AlphaSOC AE On-Premise Configuration
Replace the contents of the JSON editor with the below, taking note to replace <AWS_ID> with an appropriate account ID, and <AWS_REGION> with the region where you are creating this SNS topic. Lastly, set the aws:SourceArn with the S3 bucket name you plan to create/designate for log storage.
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish"
],
"Resource": "arn:aws:sns:<AWS_REGION>:<AWS_ID>:ae-sns-topic",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "<AWS_ID>"
}
}
},
{
"Sid": "Publish from S3",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:<AWS_REGION>:<AWS_ID>:ae-sns-topic",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:ae-s3-bucket-1"
}
}
}
]
}
Finally, click Create topic.
S3
If an existing bucket will be used and has been specified as the aws:SourceArn in the previous section, skip to Event Notification below.
Bucket Creation
Navigate to Amazon S3 > Buckets > then click Create bucket
Name the bucket and select an appropriate region (likely the same region used for the SNS topic above). Leave the default options provided. Take note of the ARN of the newly created bucket. The ARN can also be found by clicking on the bucket, then on Properties.
Event Notification
Navigate to the bucket, click on Properties and under Event notifications click Create event notification. Give the event a name and under Event types > Object creation select All object create events. Finally, under Destination select SNS topic and specify the topic you created/designated above. Click on Save changes
AlphaSOC AE Cloud Configuration
For AlphaSOC to access objects in this bucket, a proper bucket policy must be set. Navigate to the bucket and under Bucket policy click Edit. Input the following, taking care to set the correct bucket ARN.
IMPORTANT: This step is only needed for AlphaSOC AE Cloud configurations.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AlphaSOC access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::610660487454:root"
},
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::ae-s3-bucket-1/*"
]
}
]
}
SNS Subscription Creation
The final preparatory step is to create a subscription such that AE will be notified of new logs arriving at the S3 bucket.
Navigate to Amazon SNS > Topics and click on the topic created/designated above. Under Subscriptions click Create subscription and under Protocol select HTTPS.
Take note of your AlphaSOC Token. This token can be found by logging into the AlphaSOC Console and clicking on Credentials.
AlphaSOC AE Cloud Configuration
Set the Endpoint to https://token:YOUR_ASOC_TOKEN@api.alphasoc.net/sns/importFromS3
AlphaSOC AE On-Premise Configuration
Set the Endpoint to https://token:YOUR_ASOC_TOKEN@ae-on-prem-host.domain/sns/importFromS3
NOTE: ae-on-prem-host.domain
must resolve to the node where AE is running and must
have valid SSL certificates.