I have enabled the cloud trail logs and I get the logs to my graylog system. Now how can I do analysis on the following use cases:
- What if same user is trying to login and using from different Source IP's
- Need to analyse like if particular user is logging in with some region (say US) then suddenly he tries to login from Europe.
- Basically trying to develop some security related use cases.
I am ok to do develop my own application if graylog doesn't support the above. What is the best way to do it? Send all logs to Kafka and then from there use an application to track it?
Generally CloudTrail logs are great for auditing and investigating past incidents however they are very detailed and to make sense of what's really happening you usually need to link together multiple CloudTrail events to get the full picture.
To answer specifically your usecase, i.e. prevent users from logging in from unknown destinations, you may be better of with configuring your IAM User policy appropriately and checking the
IpAddresscondition:For other security-related uses, say to be notified when someone creates a Security Group open to the world you can indeed try to figure it out from CloudTrail, but that may be quite an undertaking. You may be better served with AWS Config and its extensive set of security related rules that actually integrate with Cloud Trail and may provide the alerts and insights you need. AWS Trusted Advisor can also provide some security advisory. Or as Tim pointed out check out AWS Guard Duty.
Alternatively try one of the cloud-security 3rd party services: Cloud Conformity, CloudCheckr, Cloud Health, etc. They all can do the alerting and security checking you're after.
Rolling out your own security solutions is rarely a good idea. Initial development, keeping it up to date, dealing with false positives/negatives, ... better use the tools already available in AWS or on the market by specialised companies.
Hope that helps :)