Analyzing audit logs from cross applications using AWS AppFabric

The adoption of software-as-a-service (SaaS) applications has increased in many organizations, as these solutions increase efficiency and employee productivity. However, security teams struggle to effectively audit and monitor SaaS applications used across their company due to time constraints and the absence of a centralized way to view audit log data from multiple applications. AWS AppFabric helps solve this problem by quickly connecting SaaS applications across an organization. AppFabric aggregates and normalizes log data from applications like Asana, Slack, and Zoom, and productivity suites like Microsoft 365 and Google Workspace, to increase application observability and reduce operational costs associated with building and maintaining point-to-point integrations.

Using AWS AppFabric with a security information and event management (SIEM) tool allows teams to observe SaaS usage for license optimization and security data to detect unusual activities across applications, as well as perform ad hoc searches for incident detection and response. Since AppFabric normalizes log data into the Open Cybersecurity Schema Framework (OCSF), teams can use OCSF data with tools like Amazon OpenSearch and Amazon QuickSight to create SIEM dashboards with alerts.

In this blog, I will walk through how to deploy a cross-application audit log data analysis solution using Amazon Athena, Amazon OpenSearch, or Amazon QuickSight. As a result of this walkthrough, you will get a SIEM dashboard with data and visualizations that you can use for threat detection and incident response.

Solution architecture

While customers can normalize and enrich SaaS audit log data from AppFabric, many need to preserve logs for post incident analysis and others need to use the logs to track SaaS subscription and license usage. Still, others want to analyze user activity to discover patterns. This solution creates a data pipeline and builds customizable dashboards. It consists of three AWS Cloud Development Kit (AWS CDK) stacks that allows developers to choose to analyze data in Amazon Athena, Amazon QuickSight, or Amazon OpenSearch. The diagram in Figure 1 shows the architecture of the solution.

Figure 1. Overall solution architecture

This solution includes three stacks. A stack is a collection of AWS resources that you manage as a single unit. The base stack, identified by “stack = base” in in Figure 1, is required and includes the resources necessary to catalog the AppFabric data for use with Athena and QuickSight. The QuickSight stack, identified in the diagram above by “stack = quicksight”, is an optional set of resources that deploys an observability dashboard in an existing QuickSight subscription. The OpenSearch stack, identified in the figure above by “stack = opensearch”, is an optional set of resources that deploys an Amazon OpenSearch Serverless collection with an observability dashboard.

How the base stack works

An AWS Glue crawler reads directly from the Amazon Simple Storage Service (Amazon S3) bucket connected to AppFabric. Using Amazon S3 event notifications, each time a new object is written to Amazon S3, Amazon S3 sends an event to an Amazon Simple Queue Service (Amazon SQS) queue. The Glue crawler takes files from the Amazon SQS queue and partitions the data based on application, globally unique identifier (GUID), and date to optimize Amazon Athena queries.

How the QuickSight stack works

The QuickSight stack requires an existing QuickSight subscription. The stack includes a QuickSight dashboard, dataset, and data source that retrieves and displays data using the Glue Data Catalog resources deployed with the base stack. QuickSight uses Athena queries to display data on the dashboard such as monthly traffic ratio by SaaS application, SaaS application activity trends, and geographic locations of events.

How the OpenSearch stack works

The OpenSearch stack uses an Amazon Data Firehose to feed AppFabric data to an Amazon OpenSearch Serverless collection with a dashboard based on a prepared template. The stack includes an AWS Lambda function that creates the dashboard and an AppFabric index in the OpenSearch collection. The dashboard displays information such as the total number of failed logins across SaaS applications, the number of privileged users added and removed, and SaaS application activity volume. You must configure the Data Firehose in this stack as an ingestion destination in AppFabric to begin seeing data on the dashboard.

Prerequisites

The solution is built with AWS CDK, allowing developers to deploy the solution with just a few commands. Other solution prerequisites are listed in the GitHub AWS samples repository.

Note, if you are launching the OpenSearch solution, you must install Docker on your client machine, which is used for packaging Python libraries to deploy a Lambda function.

Launch the solution

To launch the solution into your AWS environment, download the AppFabric Data Analytics project from the AWS samples repository and follow the steps written in the README section to deploy the solution that meets your needs. The project contains instructions for deploying the base solution with AWS Glue and Amazon Athena, deploying the QuickSight solution, and deploying OpenSearch solution.

This solution works with all of the supported SaaS applications listed on the Supported applications page of the AWS AppFabric Administration Guide. If you would prefer to test the data analytics solution with sample data, you can use the AppFabric Sample Log Generator solution to generate sample audit logs from multiple SaaS applications.

Use the solution

With the base stack deployed, you can query audit logs data from AppFabric using Amazon Athena. The figure below shows an example Athena query that returns a list of events detailing failed actions, such as login failures, user permission change failures, and file download failures, for a specific user. In this example you can see multiple login failures for one user occurring from different locations in a short span of time. This could be an impossible travel scenario, where one user has activity in multiple countries and the time between events would not permit the user to travel between those countries by conventional means, that needs further investigation.

Figure 2. Amazon Athena query results with ‘Failure’ status

With the QuickSight stack you are able to get an overall picture of the usage of SaaS applications. QuickSight has threshold alerts that you can configure in the dashboard to get an email when certain thresholds are breached. For example, you can set an alert for failed login attempts exceeding a certain number or when the number of file export events exceeds a desired threshold within a short period of time. With Amazon Q in QuickSight, you can use generative artificial intelligence (AI) to create actionable insights from your AppFabric data.

The data presented on QuickSight depends on how often the AWS Glue Crawler runs to retrieve the new data from Amazon S3. In this solution, the AWS Glue Crawler runs once per day. Because of this architecture behavior, this Amazon QuickSight solution is best suited for business intelligence and data visualization needs.

Figure 3. Amazon QuickSight sample dashboard

With the OpenSearch stack you can analyze overall audit activities from different SaaS applications in a single dashboard. The data arrives to the OpenSearch stack in near real-time from AppFabric, making it ideal for near real-time search and analytics use cases. OpenSearch includes a powerful query engine, allowing you to perform detailed incident analysis and threat detection campaigns.

Figure 4. Amazon OpenSearch sample dashboard

Conclusion

In this blog we explained how to deploy a SaaS application data analysis solution using AWS AppFabric and Amazon Athena, Amazon QuickSight, or Amazon OpenSearch. This solution provides an easy to use option for organizations seeking to enhance their SaaS application monitoring and threat detection capabilities. AppFabric aggregates and normalizes audit log data from multiple SaaS applications and helps teams streamline the process of identifying and responding to security incidents. The flexible architecture of the solution, coupled with the capabilities of Athena, OpenSearch, and QuickSight, empowers organizations to gain actionable insights and strengthen their security posture in the ever-evolving landscape of cloud-based services. To get started, visit the AWS AppFabric console to setup an app bundle, connect a supported SaaS application, and configure an ingestion destination.