Huawei Cloud Log Integration for Warden Threat Detection

Before you can set up Warden Threat Detection in your Huawei Cloud environment, there has to be a logging infrastructure in place. This document covers the required infrastructure you need to set up for Warden Threat Detection Integration. 
You can also see the same step by step guide on the integration page in Warden. Click here to log in to Warden to start integration.

Step by Step Guide

  1. Login to your Huawei Cloud console.
  2. Create an IAM Custom Policy. Navigate to the IAM permissions page under the IAM service.
    1. Click on Create Custom Policy to create the SMN-related policy.
    2. Give an appropriate name (i.e, WardenLogIngestionSMNPolicy) for Policy Name.
    3. Select JSON under Policy View.
    4. Copy the following text from the JSON here into the Policy Content field.
    5. Click OK.
  3. Create an IAM User Group - navigate to the User Groups page under IAM service.
    1. Click on Create User Group.
    2. Give an appropriate name (i.e, WardenLogIngestionGroup).
    3. Click OK.
    4. Click Authorize on the created user group.
    5. Find and select the Custom Policies created in step 2.
    6. Click NextOK then Finish.
  4. Create an IAM User - navigate to the IAM Users page under IAM service.
    1. Click on Create User.
    2. Give an appropriate name (i.e, WardenLogIngestionSystemUser) for the username.
    3. Select only Programmatic Access under Access Type.
    4. Select only Access key under Credential Type.
    5. Click Next
    6. Select the User Group created in step 3.
    7. Click Create User.
    8. Click Download Access Key.
  5. Copy the Access Key Id and the Secret Access Key from the downloaded file and paste it onto the corresponding fields.
  6. Copy the Account ID into the field.
    1. To find the Account ID, hover over your username on the upper right of the page and click on the My Credentials link. You can also access the page here.
    2. Look for the Account ID field.
    3. The Region field should be the region where you would like to enable the CTS log ingestion and creating the cloud resources related to this onboarding.
     
  7. Create an SMN Topic - navigate to Topic Management then Topics page under SMN service.
    1. Click on Create Topic.
    2. Give an appropriate name (i.e. WardenLogIngestionTopic) for the topic name.
    3. Select the desired Enterprise project (default).
    4. Click OK.
    5. Click More on the created topic then click Configure Topic Policy.
    6. Select All users on the users who can publish to the created topic.
    7. Check OBS on the services allowed to publish on the created topic.
    8. Hover on the URN of the created topic.
    9. Copy the SMN Topic URN and paste it in the SMN Topic field.
  8. Navigate to the Cloud Trace Service page.
    1. Select the region where you would like to have the threat detection integration.
    2. Enable CTS if it's not yet enabled by clicking Enable and Authorize.
  9. In the CTS, navigate to Key Event Notifications.
    1. Click on Create Key Event Notification.
    2. Enter a name for the Key Event Notification (i.e. WardenLogIngestionNotification).
    3. In the Topic section, select Yes.
    4. Select the previously created SMN Topic in the dropdown list that appears.
    5. Click OK.

Continue to see How to set up Threat Detection Integration in Warden.