Profile Applicability:
 • Level 2

Description:

CloudWatch metrics provide vital information about the performance and status of AWS services, including Endpoint Detection and Response (EDR) solutions integrated with AWS. Ensuring that CloudWatch metrics are enabled and configured for AWS EDR solutions (like Amazon GuardDuty or Amazon Macie) allows organizations to monitor and respond to potential security incidents in real-time. CloudWatch enables the tracking of critical security events and activities, offering insights into system performance and security posture.

Rationale:

CloudWatch metrics enable organizations to proactively monitor security-related activities on their AWS infrastructure. By integrating AWS EDR services with CloudWatch, security teams can track anomalies, potential threats, and other indicators of compromise (IoCs). This integration provides valuable data that helps in the timely detection of attacks, optimizing response times, and ensuring that security operations are continuously effective.

Impact:

Pros:

  • Provides real-time visibility into the performance and status of EDR services

  • Enables automated monitoring and alerting of suspicious activities or potential security breaches

  • Integrates with other AWS services like AWS Security Hub, enabling centralized security operations

  • Helps security teams to act quickly and mitigate risks based on CloudWatch alerts and metrics

  • Improves compliance with monitoring and reporting standards, particularly for regulated environments

Cons:

  • Requires proper configuration of CloudWatch alarms and metrics to avoid overwhelming teams with unnecessary alerts

  • Can generate false positives if not tuned appropriately, leading to alert fatigue

  • Requires ongoing management and monitoring to ensure metrics and alarms are functioning correctly

  • May incur additional costs depending on the volume of metrics and alarms being generated

Default Value:

By default, CloudWatch metrics are not automatically enabled for all AWS services. EDR services, such as Amazon GuardDuty, can be configured to send security-related metrics to CloudWatch, but they need to be explicitly set up.

Pre-requisites:

  • IAM permissions to configure CloudWatch metrics, alarms, and logs

  • Amazon GuardDuty or other AWS EDR solutions enabled and configured

  • CloudWatch set up in the AWS account to receive and store metrics and logs

  • Knowledge of what events or metrics need to be monitored based on the organization’s security policies

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to CloudWatch > Metrics

  3. Under the Browse section, check for GuardDuty or other integrated EDR services such as Amazon Macie or AWS Security Hub

  4. Ensure that the necessary metrics are available, such as threat activity, findings, and anomaly detection

  5. Verify that CloudWatch is collecting the appropriate data from the EDR service and that the data is being processed correctly

  6. Navigate to CloudWatch > Alarms and confirm that alarms have been set up to trigger on critical security events (e.g., high severity findings or anomalies)

  7. Test the configuration by generating a benign security event (e.g., an attempted attack or unauthorized access) and verify that it appears in the metrics and triggers the alarm

Using AWS CLI:

List available CloudWatch metrics for Amazon GuardDuty (if used for EDR):

aws cloudwatch list-metrics --namespace AWS/GuardDuty

Check for specific metrics related to findings or activities in GuardDuty:

aws cloudwatch get-metric-statistics \
  --namespace AWS/GuardDuty \
  --metric-name FindingsCount \
  --start-time 2021-01-01T00:00:00Z \
  --end-time 2021-01-01T23:59:59Z \
  --period 3600

Verify the status of CloudWatch alarms:

aws cloudwatch describe-alarms --alarm-name <alarm-name>

Ensure that the metrics are being sent to CloudWatch Logs for detailed analysis:

aws logs describe-log-groups --log-group-name <log-group-name>

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console

  2. Navigate to CloudWatch > Metrics

  3. Go to the Browse section and select GuardDuty (or other relevant EDR services like Macie)

  4. Click Create Alarm to set up an alarm based on a specific metric, such as FindingsCount or AnomalousActivity

  5. Configure the alarm settings:

    • Set the threshold for the alarm (e.g., when the FindingsCount exceeds a certain number)

    • Select the action to take when the alarm state is triggered (e.g., send an SNS notification)

  6. Review the alarm settings and ensure that they align with security policies for timely responses to potential threats

  7. Confirm that CloudWatch logs are enabled for GuardDuty or other EDR services and that the logs contain useful information about security findings and activities

Using AWS CLI:

Enable CloudWatch metrics for Amazon GuardDuty (if not already enabled):

aws guardduty enable

Create a CloudWatch alarm for GuardDuty findings:

aws cloudwatch put-metric-alarm \
  --alarm-name "GuardDutyHighSeverityFindings" \
  --metric-name FindingsCount \
  --namespace AWS/GuardDuty \
  --statistic Sum \
  --period 86400 \
  --threshold 10 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 1 \
  --alarm-actions arn:aws:sns:region:account-id:topic-name \
  --ok-actions arn:aws:sns:region:account-id:topic-name

Verify that CloudWatch metrics and logs for GuardDuty are being properly collected:

aws cloudwatch describe-alarms --alarm-name "GuardDutyHighSeverityFindings"

Check the CloudWatch logs for GuardDuty activity:

aws logs describe-log-groups --log-group-name "/aws/guardduty"

Backout Plan:

Using AWS Console:

  1. Navigate to CloudWatch > Alarms

  2. Select the alarm created for GuardDuty or other EDR services

  3. Click Delete to remove the alarm

  4. Navigate to CloudWatch > Logs and ensure the logs are still being captured if needed, otherwise disable CloudWatch logs for the service

  5. Revert any metric configurations or policies to the previous state if necessary

Using AWS CLI:

Delete a CloudWatch alarm for GuardDuty findings:

aws cloudwatch delete-alarms --alarm-names "GuardDutyHighSeverityFindings"

Disable CloudWatch metrics for GuardDuty:

aws guardduty disable

Revert any changes to CloudWatch logs configuration if necessary:

aws logs delete-log-group --log-group-name "/aws/guardduty"

References: