How AWS AppFabric and Dynatrace work together to enhance your SaaS application security observability

Software-as-a-service (SaaS) applications are designed to make employees more productive and collaborative. The increased adoption of these applications continues to rise, driving the need for additional security oversight. According to the Cloud Security Alliance (CSA) annual SaaS security survey report, the reality that similar on-premises attacks like data breaches, data leakage, ransomware, and malware occur across an organization’s software application environment is leading to over 70% of organizations increasing their investment in security tools for SaaS applications.

Overseeing security and monitoring audit logs across SaaS tools is complex, and it often requires building and maintaining dedicated integrations for each tool that can retrieve audit logs. Because each tool has a different log schema, it can be challenging to standardize querying and monitoring user activity across tools.

AWS AppFabric quickly connects SaaS applications across an organization for enhanced security and employee productivity. AppFabric fully manages the integrations with more than 25 applications so customers can enhance their security in just a few clicks – no coding or ongoing point-to-point integration management required. Once connected, AppFabric’s security features automatically normalize SaaS audit logs into the Open Cybersecurity Schema Framework (OCSF), which allows customers to use common queries for audit logs and track user activity across multiple SaaS applications.

OCSF is a collaborative, open-source effort co-founded by AWS that provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers. By normalizing logs into the OCSF schema, users can apply a common set of queries, filters, and alerts over their security logs across applications.

AppFabric not only manages connections with productivity applications, but is also compatible with multiple application security solutions such as Dynatrace. In this blog, we’ll discuss how security analysts can use AppFabric and Dynatrace to enhance an organization’s security observability across their SaaS environment.

“Dynatrace is excited to announce our integration with AWS AppFabric for security, allowing Dynatrace customers to leverage the power of Grail^TM – our purpose-built data lakehouse for observability and security data, and Dynatrace Query Language (DQL) to monitor, analyze, and extract insights from their SaaS applications audit logs”, says Kacey R. Leckenby, Sr. Director Worldwide Alliance Sales at Dynatrace.

With the Dynatrace AWS S3 Log Forwarder, Dynatrace customers ingest and enrich logs from a wide variety of AWS services out-of-the-box, now also including AWS AppFabric OCSF-normalized SaaS logs. The Dynatrace log forwarder ingests and enriches logs  for easy discovery and querying in Dynatrace.

Getting started with AppFabric and Dynatrace

To connect your SaaS applications to AppFabric, follow the getting started documentation. When setting up the audit log ingestions, select Amazon S3 as the destination and OCSF-JSON on the Schema & Format configuration for the Dynatrace AWS S3 Log Forwarder to automatically recognize and enrich logs.

If you’re a Dynatrace customer, you can follow the instructions to deploy the Dynatrace AWS S3 Log Forwarder on your AWS Account. Note that AWS AppFabric is available in the US East (N. Virginia), Europe (Ireland), and Asia Pacific (Tokyo) regions, so the Amazon S3 buckets where the logs are delivered need to be created in the same region where AWS AppFabric is configured. If you normally use a different AWS region and want to deploy the Dynatrace AWS S3 Log Forwarder on it, instead of the region where you configure AppFabric, follow the instructions to configure cross-region log forwarding.

Analyzing AWS AppFabric logs with Dynatrace Notebooks and the Dynatrace Query Language (DQL)    

When Dynatrace ingests AWS AppFabric logs, it enriches log entries with a set of attributes that enable security analysts to easily query them for anomalous behavior. Dynatrace automatically detects and enriches all AWS AppFabric SaaS audit log entries with the following attributes:

-service: appfabric
-source: {saas_product_name}
-identity: {email_address_of_the_user_performing_the_action}
-action: {ocsf_normalized_action_category}

Dynatrace offers Notebooks, which enable organizations to create powerful, data-driven documents for custom analytics of logs, events, and metrics. Notebooks help users understand and perform an in-depth analysis of AppFabric logs using Dynatrace Query Language (DQL). In this section, we’ll show you how to analyze AWS AppFabric logs with Notebooks and DQL.

After connecting your SaaS applications to AppFabric and choosing Dynatrace as your destination, you can begin to analyze logs by adding a log explorer to a Dynatrace Notebook. From the Notebook, click  + and select Explore logs. Then, customize the filter key to aws.service and the value to appfabric as figure 1 shows.

Figure 1: Dynatrace Notebooks filtered to AWS AppFabric

With AppFabric now surfacing normalized logs in a Dynatrace Notebook, you can apply quantitative analysis to better understand the log data and events. Dynatrace Notebooks enable users to format the output in tables and graphs to visualize data at a glance. Click + and select Query Grail. Then type the following DQL query in your notebook:

fetch logs
| filter aws.service == "appfabric"
| summarize count(), by: {log.source}

You can click on Options to format the output as a Pie chart. In figure 2, a pie chart shows log events per SaaS application.

Figure 2: Dynatrace Notebook pie chart visualization of SaaS log events per applications

AWS AppFabric not only normalizes logs into the OCSF schema, but also normalizes user identifiers across applications by an e-mail address. Security analysts can easily trace specific user activity across each SaaS application to detect anomalous behavior, detect misconfigurations, or confirm employee access. This inquiry accelerates employees’ onboarding or offboarding for the tools they need for their job functions. Type the following DQL query to get an action count per user and action:

fetch logs
| filter aws.service == "appfabric"
| summarize count(), alias:event_count, by: {log.source,audit.action,audit.identity}

Figure 3 shows an example of user log activity.

Figure 3: Dynatrace dashboard view of user activity

Finally, because AppFabric normalizes SaaS audit log data into OCSF, more complex queries are accessible using DQL. For example, some SaaS applications include the user’s IP address and country on their audit logs. Using DQL schema-on-read capabilities, analysts can parse the raw log object on the content field and query the actions performed by application users, including the source IP address and origin country. Use the following DQL Query:

fetch logs
| filter aws.service == "appfabric"
| parse content, "JSON:contentjson"
| fields timestamp, audit.action, log.source, audit.identity, {contentjson[device][ip], alias:IP}, {contentjson[device][location][country],alias:Country}

Figure 4 shows an example of user activity with IP address and location.

Figure 4: Dynatrace Query Language (DQL) dashboard 

Set up alerts for suspicious user activity

AppFabric customers often ask for alerts if suspicious activity occurs across their SaaS applications. With AppFabric integration with Dynatrace Log management and analytics, customers can set up alerts based on the occurrence of specific log events.

As an example, the walkthrough below sets up an alert if Dynatrace detects administrative activity on Okta from an IP address that does not belong to the IP range (e.g. 1.2.0.0/16).

From Dynatrace, go to the Logs and events explorer and then turn on Advanced mode. Then type the DQL query below to fetch the Okta logs:

fetch logs
| filter aws.service == "appfabric" and log.source == "okta"

Figure 5: Dynatrace Logs and event explorer

Next, select a log record and click Create processing rule. Then configure the following details to add attributes to the Okta logs with the source IP range that the user IP belongs to once applied a /16 mask, and a Boolean indicating if the IP belongs to the company range 1.2.0.0/16.

Matcher (match any Okta logs coming from AppFabric):

matchesValue(aws.service,"appfabric") and matchesValue(log.source,"okta")

Processor definition:

PARSE(content, "JSON:contentjson")

| FIELDS_ADD( ip:IPADDR(contentjson[device][ip])) | FIELDS_ADD(cidr:IP_TRUNC(ip,16))
| FIELDS_ADD(is_corporate_ip:(EQUAL(cidr,IPADDR("1.2.0.0"))))
| FIELDS_REMOVE(contentjson)

Figure 6: Dynatrace dashboard to create processing rule

Click Test rule to test the rule, and see the ip, cidr and is_company_ip attributes added to the log entry.

Now configure Dynatrace to generate an alert when the is_corporate_ip attribute for an Okta log entry is false. Go to Settings -> Log Monitoring -> Events extraction and click Add log event. Fill in the log query and the details as per the screenshot below, then click Save.

Figure 7: Dynatrace dashboard to create an alert

You are all set! Now Dynatrace will send an alert if log entries for Okta come from an IP that doesn’t belong to your corporate IP range.

Enhance application security monitoring and alerting with AWS AppFabric and Dynatrace

In this blog, we discussed how AppFabric fully manages the integration with multiple SaaS applications and supports the integration with multiple security destinations including Dynatrace. Start analyzing your SaaS applications audit logs today! AWS AppFabric offers a 30-day free tier for two SaaS applications to help you trial this solution, and Dynatrace offers a 15-day free trial to get started.