Configuration is loaded from cloud-connector.yaml file.

logging: info
rules:
  - git:
      url: https://github.com/sysdiglabs/cloudtrail-rules
  - s3:
      bucket: bucket-name
  - gcs:
      bucket: bucket-name
  - directory:
      path: ./rules
ingestors:
  - aws-cloudtrail-sns-sqs:
      queueURL: https://sqs.REGION.amazonaws.com/XXXXX/cloud-connector-demo
  - aws-cloudtrail-sns-http:
      url: /cloudtrail
  - aws-cloudtrail-http:
      url: /cloudtrail-debug
  - gcp-auditlog:
      project: XXXX
      interval: 5m
  - gcp-auditlog-http:
      url: /auditlog-debug
  - gcp-auditlog-pubsub-http:
      url: /auditlog
  - azure-event-hub: {}
notifiers:
  - cloudwatch:
      logGroup: cloud-connector-test
      logStream: test
  - securityhub:
      productArn: arn:aws:securityhub:eu-west-1:485156241564:product/485156241564/default
  - stackdriver:
      project: gcp-project-name
      logName: cloud-connector-logs

Logging levels

You can configure the Cloud Connector with 3 different logging levels: debug, info and error. If other level is specified, a warning will be thrown and the level will be set to info. If not specified, info is the default logging level.

Rule providers

You are able to have have different rule providers at the same time. Rules are loaded in order. In this example rules are loaded and merged from secure, then git, then a s3 bucket and finally a local directory.

Lists and macros can use the append feature to extend the behaviour from rules loaded before them.

The following environment variables must be defined when running the Cloud Connector:

git

Loads the rules from a Git repository

If you need to clone a private repository you can pass the credentials here https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/.

Parameters:

s3

Loads the rules from a S3 bucket. The provider will retrieve all the files ending in .yaml and .yml recursively. You may need to specify a path for the files, so no other files conflict with them.

For example, if the files are saved in “cloud-connector-rules/rules.yaml”, the path should be “cloud-conector-rules”.

Parameters:

gcs

Loads the rules from a Google Cloud Storage bucket. The provider will retrieve all the files ending in .yaml and .yml recursively. You may need to specify a path for the files, so no other files conflict with them.

For example, if the files are saved in “cloud-connector-rules/rules.yaml”, the path should be “cloud-conector-rules”.

Parameters:

directory

Loads the set of rules from a directory specified by the path parameter.

Ingestors

aws-cloudtrail-sns-sqs

Ingest from AWS SNS notifications over SQS on the queue specified by parameter queueURL.

Parameters:

aws-cloudtrail-sns-http

Ingest from AWS SNS notifications over HTTP on the path specified by parameter url. The Cloud Connector will listen HTTP requests on port 5000.

The SNS notification will trigger retrieving the events from a S3 bucket.

aws-cloudtrail-http

Receive raw JSON events on the url specified by parameter url. The Cloud Connector will listen HTTP requests on port 5000.

This ingestor is only used for debugging purposes.

gcp-auditlog

Retrieve Google Cloud Platform Audit Log events. The Cloud Connector will pull events directly from GCP Logging at specified interval.

Parameters:

gcp-auditlog-http

Receive raw JSON events on the url specified by parameter url. The Cloud Connector will listen HTTP requests on port 5000.

This ingestor is only used for debugging purposes.

gcp-auditlog-pubsub-http

Receive raw JSON events on the url specified by parameter url. The events will be sent from a pubsub topic to this endpoint .

Notifiers

cloudwatch

Send alerts to AWS CloudWatch.

Environment variable AWS_REGION must be set, and AWS credentials must be pre-configured.

Parameters:

securityhub

Send alerts to AWS SecurityHub.

Environment variable AWS_REGION must be set, and AWS credentials must be pre-configured.

Parameters:

stackdriver

Send alerts to Google Cloud Logging.

Parameters: