Open menu

Real-Time Threat Monitoring settings

Location

Main Dashboard > Select {Account} > Settings > Real-time monitoring settings > Update real-time settings

The Real-Time Threat Monitoring (RTM) settings allow you to install or update what is being live monitored in Trend Micro Cloud One™ – Conformity - once this stack has been created or modified, any event in the AWS account will be registered on the RTM event dashboard. We provide both Powershell and Bash scripts to set up the monitoring dashboard.

Contents

User Access

RTM for AWS

Set up Requirements

On Linux you can install through the installer script. The script will download and install the latest version of Conformity Threat Monitoring on your AWS account.

  • Ensure CloudTrail is enabled. For details, see:CloudTrail Enabled
  • Install the latest(or 2.0.53 and later) AWS Command Line Interface version 2: For details, see: Installing the AWS CLI
  • Export your Access Key and Secret Access Key: For details, see: Configuring the AWS CLI


    export AWS_ACCESS_KEY_ID=YOUR_AWS_ACCESS_KEY_ID

    export AWS_SECRET_ACCESS_KEY=YOUR_AWS_SECRET_ACCESS_KEY

The keys used must belong to a user with access to:

  1. AWS CloudFormation
  2. AWS IAM Role
  3. AWS Lambda Function
  4. AWS Events Rule
  5. AWS Lambda Permission

  • Or switch your AWS profile


    export AWS_PROFILE=your-account-profile

###
Minimum AWS Permissions required to run the RTM Install script



{

“Version”: “2012-10-17”,

“Statement”: [

{

“Sid”: “CCRTM”,

“Effect”: “Allow”,

“Action”: [

“cloudformation:CreateStack”,

“cloudformation:DescribeStackEvents”,

“cloudformation:DescribeStackResources”,

“cloudformation:DescribeStacks”,

“cloudformation:GetTemplate”,

“cloudformation:UpdateStack”,

“cloudformation:ValidateTemplate”,

“events:DeleteRule”,

“events:DescribeRule”,

“events:PutRule”,

“events:PutTargets”,

“events:RemoveTargets”

],

“Resource”: “*”

}

]

}

###
Setting up RTM for AWS

  1. To create or update Conformity Threat Monitoring for AWS, open a command prompt, copy the specifically generated command line for you and run it on your command-line interface.

    curl -L https://us-west-2.cloudconformity.com/v1/monitoring/event-bus-install.sh | bash -s

  2. After finishing the installation, open CloudFromation console (https://console.aws.amazon.com/cloudformation) and verify the status of CloudConformityMonitoring stack is CREATE_COMPLETE or UPDATE_COMPLETE when updating.
    The stack creation might take a while to complete.
  3. The above stack will create a series of CloudWatch Event Rules to monitor changes within your AWS account, and sends them to Conformity to ingest and process. You can view updates on Conformity in near real-time on the Real-time monitoring dashboard of your Conformity account.

  • You can re-run the same command to update your stack to get the latest updates from Conformity.
  • To delete Conformity Threat Monitoring from your account, open a command prompt or shell and run the following command.

curl -L https://s3-us-west-2.amazonaws.com/cloudconformity/monitoring/uninstall.sh | bash -s

Set up RTM Event Monitoring Dashboard

  1. You can set up RTM event monitoring dashboard by using:
    1. either Bash script
    2. or Powershell script

RTM for Azure

Set up Requirements

  1. Install the Azure Command Line Interface: For details, see Install the Azure CLI
  2. Sign in with Azure CLI

The user should have the following permissions to run the deployment script:

  • Microsoft.Insights/ActivityLogAlerts/[Read, Write, Delete]
  • Microsoft.Insights/ActionGroups/[Read, Write, Delete]
  • Microsoft.Logic/workflows/[Read, Write, Delete]
  • Microsoft.Resources/subscriptions/resourceGroups/[Read, Write, Delete]

Microsoft.Resources/subscriptions/resourceGroups/deployments/[Read, Write, Delete]

Setting up RTM for Azure

  1. Select Event Source > Activity Logs
  2. Click the Generate deployment script button. Wait until the button background color becomes green.
    Note: The deployment script expires in 15 minutes. If you want to re-run the deployment, you will need to select the event source to regenerate the deployment script and go through the setup again.
  3. Open a command prompt or PowerShell. Copy the generated command line and run it on your command-line interface or Powershell.
  4. Once the installation is complete:
    1. Open Resource groups (https://azure.microsoft.com/en-au/features/resource-manager/) and verify that ‘CloudOneConformityMonitoring’ is created with the ‘cloudone-conformity-monitoring-logic-app’.
    2. Open Monitor service and select Alerts(https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-overview).
  5. Click Manage alert rules and verify that the following rules are Enabled. This is required to monitor the Azure RTM events that will appear on the Conformity RTM Dashboard :
    1. cloudone-conformity-monitoring-activity-log-alert-administrative
    2. cloudone-conformity-monitoring-activity-log-alert-autoscale
    3. cloudone-conformity-monitoring-activity-log-alert-policy
    4. Cloudone-conformity-monitoring-activity-log-alert-security

Once you verify the rules, we can confirm your RTM Set up.