-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable AWS Organisations integration to link root account with Cortex XSIAM #7897
Comments
I will be on annual leave for two weeks starting from next week and will return on September 30th. During my absence, @YasJustice/ yaasseen.aumeer@justice.gov.uk from the MIP team will be available for any assistance or inquiries related to these tickets. |
Documentation has been reviewed. The guide says: |
I raised Add Cortex XSOAR Integration User ministryofjustice/aws-root-account#993 to create a user with read/list only permissions to the organizations account. I am reaching out to yaasseen.aumeer@justice.gov.uk to discuss exchanging some access keys and creating the integration in the Cortex XSOAR app. |
Having created a user with relevant permissions in the We set up the integration over a teams call and Yaasseen tested it by querying the org. He was able to retrieve a list of all the AWS accounts in the organisation and their respective tags etc. directly in the XSIAM app 👍 I'll raise a follow-on ticket for looking at how we approach the long-term management of identities shared with the XSIAM app going forward. |
Follow-on issue raised to look at long-term management of credentials https://github.com/ministryofjustice/modernisation-platform-security/issues/24 |
Reviewed – All criteria in the definition of done have been met, and user have confirmed that everything works as intended. I have verified that their access keys were used today and that they have been assigned read-only permissions to AWS Org so I'm happy to close this. |
User Story
As a SOC engineer
I want to enrich the information in security alerts in Cortex XSIAM
So that I have more detailed information e.g. can identify which application/owner is affected
Value / Purpose
Following some engagement with the SOC in #7605 it was decided that we should explore using the AWS Organisations Integration to link the root account (MOJ Master) with Cortex XSIAM as the SOC feel this would better enrich the info in the alerts they are getting for AWS accounts.
Useful Contacts
@ashwinmoj @richgreen-moj @davidkelliott
Additional Information
AWS Orgs Integration docs: https://xsoar.pan.dev/docs/reference/integrations/aws---organizations
For instructions on setting up integrations, see AWS Integrations - Authentication
We should consider the impact of integrating with XSIAM, and do if appropriate.
Careful consideration should be given on the permissions provided (i.e. limit to read-only "list" type actions)
For more context contact Ashwin John ashwinmoj
This will also require input from the root account team #aws-root-account in slack
Definition of Done
The text was updated successfully, but these errors were encountered: