Skip to content

Latest commit

 

History

History
54 lines (42 loc) · 2.97 KB

README-en.md

File metadata and controls

54 lines (42 loc) · 2.97 KB
Raw

Monitoring Audit Trails and events in Yandex Cloud Monitoring

image

image

Description

The solution includes recommendations how to monitor Audit Trails performance and its security events using Yandex Monitoring.

  • Audit Trails monitoring:

    • The status of the Trail object (Active or not Active).
    • Count of processed events (the presence of bursts).

  • Monitoring of security events:

    • The list is presented below.

Audit Trails monitoring

  • Go to Audit Trails → Monitoring → Open in Monitoring.
  • Select the desired dashboard: Trails by status or Delivered events.
  • Click the ellipsis, select "Create alert".
  • Set up an alert according to the documentation for a certain threshold. For example, on the "Trails by status" dashboard, enter the condition: status is not equal to 1 in 5 minutes (once a second, Trail sends Metric 1 if alive).

image

Monitoring events from Audit Trails

  • Go to Audit Trails → Monitoring → Open in Monitoring → Metric Explorer.
  • Generate a request to the desired metric from the list below, for example: "trail.processed_events_count"{folderId="b1gh4nansv4ebqqmeu7b", service="audit-trails", event_type="yandex.cloud.audit.compute.CreateInstance"}"
  • Click the ellipsis → Create alert.
  • Set up an alert according to the documentation for your threshold, for example: greater than 0.

image

List of metrics related to Information Security

  • UpdateSecurityGroup: Updating a security group.
  • UpdateSecretAccessBindings: Assigning rights for a Lockbox secret.
  • AddInstanceOneToOneNat: Adding a public IP address for a VM instance.
  • RemoveInstanceOneToOneNat: Removing a public IP address from a VM instance.
  • DeleteInstance: Deleting a VM instance.
  • instancegroup.DeleteInstanceGroup: Deleting an instance group.
  • CreateAccessKey: Creating an access key.
  • CreateApiKey: Creating an API key.
  • DeleteFederation: Deleting a federation.
  • UpdateServiceAccountAccessBindings: Updating access bindings.
  • DeleteSymmetricKey: Deleting a symmetric key.
  • ScheduleSymmetricKeyVersionDestruction: Scheduling destruction of the symmetric key version.
  • DeleteCloud: Deleting a cloud.
  • DeleteFolder: Deleting a catalog.
  • BucketAclUpdate: Updating an ACL bucket.
  • BucketDelete: Deleting a bucket.
  • BucketPolicyUpdate: Editing bucket access policies.
  • CreateNetwork: Creating a cloud network.
  • DeleteNetwork: Deleting a cloud network.