AWS Elasticsearch Output

Sending Dash Compliance Events To AWS Elasticsearch

Dash allows teams to extend compliance by connecting Dash compliance events into audit logging and SIEM solutions. Dash customers can collect compliance logs for further analysis in Cloudwatch or solutions such as Elasticsearch and Splunk.  Users can also trigger Lambda functions and other AWS functions using Dash’s output to Cloudwatch Events. 

What Will You Need?

• Dash ComplyOps v1.5.0 or greater – See how to update to latest version of Dash

• About 5 minutes of time

Instructions

1. Before sending compliance events to AWS Elasticsearch, your team must enable Dash event output to Cloudwatch Logs.

2. After enabling Dash output to Cloudwatch Logs, navigate to Cloudwatch – Login to the AWS Console > Click the “Services” tab > Navigate to Cloudwatch

3. Click “Logs” in the left sidebar.

4. In the Filter Box, type “/dash” and press enter. You should see Dash Log Groups based on your AWS account ID, similar to the image below.

5. To send Dash compliance issues to AWS Elasticsearch:

Select the individual Log Group related to the AWS account – Click the “Actions” Button – Click “Stream to Amazon Elasticsearch Service”

6. You will be prompted to select your AWS Elasticsearch cluster hosted in your account or another account. Once you select your Elasticsearch instance, click the “Next” button.

7. On the next page, under Log Format, select “JSON”. Optionally, you may add a Subscription Filter for log data.

You will see sample events below. Click the “Next” button.

8. Review all selected settings and then click the “Next” button.

9. Click the “Start Streaming” button.

Dash compliance events from Cloudwatch, will start to stream into AWS Elasticsearch instance You will now be able to view events by navigating to AWS Elasticsearch and logging into Kibana.

Under the “Discover” tab, you will be able to see Dash compliance events and can create new views by selecting available data fields.