AlienVault® USM Anywhere™

AWS Directory Service

When you configure Amazon Web Services (AWS) Directory Service to send log data to USM Anywhere, you can use the AWS Directory Service plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Amazon
Device Type Management Platform
Connection Type Amazon CloudWatch

Integrating AWS Directory Service

According to AWS documentation, AWS Directory Service provides multiple ways to set up Amazon Cloud Directory, Amazon Cognito, and Microsoft Active Directory (AD) with other AWS services. You can forward directory logs to Amazon CloudWatch Logs and then set up a scheduler job in USM Anywhere to collect them.

Follow the instructions on the AWS website to enable log forwarding in AWS Directory Service.

Plugin Enablement

In USM Anywhere, you need to create a log collection job for CloudWatch and select the AWS Directory Service plugin. See Collecting Amazon CloudWatch Logs for details.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • authentication_mode
  • customfield_0
  • customheader_0
  • device_process_name
  • event_action
  • event_category
  • event_name
  • event_outcome
  • event_severity
  • event_subcategory
  • external_id
  • level
  • rep_device_hostname
  • rep_device_version
  • security_group_id
  • security_group_name
  • source_address
  • source_ntdomain
  • source_port
  • source_process_id

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation:

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_troubleshooting.html