Alibaba Cloud Log Integration for Warden Threat Detection

Before you can set up Warden Threat Detection in your Alibaba Cloud environment, there has to be a logging infrastructure in place. This document covers the required infrastructure you need to set up for Warden Threat Detection Integration. 

Please note that OSS Buckets and MNS Topics must be created in the same region. Only the following regions are supported: China (Shanghai)China (Wulanchabu)China (Guangzhou)Singapore (Singapore). This will not affect the ability to capture events from all regions.

You can also see the same step by step guide on the integration page in Warden. Click here to log in to Warden to start integration.

Step by Step Guide
  1. Login to your Alibaba Cloud console.
  2. Create an OSS Bucket under OSS service - navigate to Buckets under OSS service.
    1. Click Create Bucket.
    2. Give an appropriate name (i.e, warden-log-ingestion-bucket) for the bucket name.
    3. Select the appropriate region for the integration.
    4. Select Standard as the Storage Class.
    5. Enable Zone-redundant storage.
    6. Select Private for the ACL.
    7. Optionally, enable either Encryption option.
    8. Click OK.
    9. Copy the OSS Bucket Name and paste it in the OSS Bucket field below.
  3. Create an MNS Topic - navigate to Topics under MNS.
    1. Click on Create Topic.
    2. Use this for the topic name: <please-refer-to-the-topic-name-on-the-Warden-integration-page>
    3. Click OK.
    4. Click on Create Subscription.
    5. Give an appropriate name (i.e, WardenLogIngestionSubscription) for the subscription name.
    6. Enter this URL for the Receiver Endpoint: <please-refer-to-the-url-on-the-Warden-integration-page>
    7. Select JSON for the Message Pushing Format.
    8. Click OK.
  4. Set up Bucket event notifications - Navigate to Event Notifications under MNS.
    1. Under OSS, click Create Rule.
    2. Select Custom Rule.
    3. Give an appropriate name (i.e, warden-log-ingestion-event-rule) for the rule name.
    4. Select PutObject for Event Type.
    5. Select Prefix and enter the OSS Bucket Name with a suffix "/".
    6. Select Topic for Terminal Type.
    7. Enter this name for Receiving Terminal: <please-refer-to-the-topic-name-on-the-Warden-integration-page>
    8. Click OK.
  5. [Optional] Navigate to the Resource Directory.
    * This is only applicable for situations where multiple Alibaba Cloud Accounts are required. In a single account situation, you can skip this step. For more information, refer to Alibaba Cloud Resource Directory Documentation and Alibaba Cloud Actiontrail Documentation.
    1. Ensure that Resource Directory is activated, and that your master accounts and member accounts are configured.
  6. Set up a logging trail - Navigate to Trails under ActionTrail.
    1. Enable ActionTrail if it is not yet enabled.
    2. Click on Create Trail.
    3. Give an appropriate name (i.e, warden-log-ingestion-trail) for the trail name.
    4. [Optional] To create a Multi-account trail, select Yes for Apply Trail to All Members. Refer to Alibaba Cloud Product Introduction for more information.
    5. Click Next.
    6. Uncheck Delivery to Log Service.
    7. Check Delivery to OSS.
    8. Select Delivery to Current Account.
    9. Select Existing OSS Bucket.
    10. Choose the previously created bucket's name.
    11. Click Next.
    12. Click Submit.
  7. Create an RAM Custom Policy. Navigate to the RAM Policies page under RAM service.
    1. Click on Create Policy to create the OSS-related policy.
    2. Select JSON type.
    3. Copy the following text from the JSON here into the Policy Content field.
    4. Click Next.
    5. Give an appropriate name (i.e, WardenLogIngestionOSSPolicy) for Policy Name.
    6. Click OK.
  8. Create an RAM User Group - navigate to the User Groups page under RAM service.
    1. Click on Create Group.
    2. Give an appropriate name (i.e, WardenLogIngestionGroup).
    3. Click OK.
    4. Click Add Permissions on the created user group.
    5. Find and select the Custom Policy created in step 7.
    6. Click OK then Complete.
  9. Create an RAM User - navigate to the User page under RAM service.
    1. Click on Create User.
    2. Give an appropriate name (i.e, WardenLogIngestionSystemUser) for the Logon Name/Display Name.
    3. Select only Open API under Access Type.
    4. Click Download CSV file to save the Access Key ID and Secret Access key.
    5. Click the checkbox to select the user, and click Add to Group.
    6. Select the User Group created in step 8.
    7. Click OK.
  10. Copy the Access Key ID and the Secret Access Key from the downloaded file and paste it onto the corresponding fields below.

Continue to see How to set up Threat Detection Integration in Warden.