| Location | Main Dashboard > Select {Account} or {All Accounts} > Threat monitoring > Open monitoring dashboard |
About Monitoring Dashboard
The Monitoring Dashboard provides an in-depth record of all events in an AWS account.
Each event is categorized by time of the event, event details, identity of the user
who performed the event, and the account on which the event occurred. You can also
filter events on the basis of Trend Micro Cloud One™ – Conformity
events, AWS events, regions, and services. Use this dashboard to monitor any unusual
activity such as changes to security groups, increased permission levels for users,
access to your AWS account from an unfamiliar country etc., and take remedial
actions if necessary.
When reviewing RTM events, you may want to reconfigure a rule, resolve the failed
check, or review details to identify or reduce security vulnerabilities. On
expanding an event, you will be provided with the following options:
- Event / Check details - Information on events, checks, and their associated resource types and services
- Configure rule - adjust the behavior of rules to meet your organisation's needs
- Resolve - take remediation steps to reduce security vulnerabilities
Troubleshooting
False positives
Problem: The Rule RTM-005 - Users signed in to AWS from an
approved country returns a false positive.
Solution: One of the reasons you may encounter this issue is that
Conformity Bot identifies the user's sign-in location based on their IP address
rather than their actual physical location.
For example, you have added Germany to the list of approved countries but the
Conformity Bot detects the user's sign-in location as Switzerland returning a
failure (False positive).
The discrepancy comes from the way Internet IP addresses are allocated.
Follow these steps to diagnose and resolve this problem
- Check the user’s location based on their IP address by using any of the following sites:
- If the IP location matches what the Conformity Bot detected then the rule is working as expected. This can also occur when connecting using a corporate VPN which hides the user's actual sign-in IP address and location.
- If the IP location comes back as different from the one detected by Conformity Bot, please contact Customer Success who can investigate the issue further.
Missing AWS Events
Problem:
I have activated RTM for my organization, but some AWS events are not being
picked by the activity bot.
Solution:
- Ensure that you have installed the eventBus so that RTM can pickup events from every region.
- Check the list RTM supported events below.
Any AWS event missing from the list below is not supported by RTM, it's monitored
with your scheduled Conformity Bot run and will be sent for Auto-Remediation after being picked up in the scan.
S3
- CreateBucket
- DeleteBucket
- DeleteBucketCORS
- DeleteBucketLifecycle
- DeleteBucketPolicy
- DeleteBucketReplication
- DeleteBucketTagging
- DeleteBucketWebsite
- PutAccelerateConfiguration
- PutAccountPublicAccessBlock
- PutAnalyticsConfiguration
- PutBucketAccelerateConfiguration
- PutBucketAclPutBucketCORS
- PutBucketEncryptionPutBucketLifecycle
- PutBucketLifecycleConfiguration
- PutBucketLogging
- PutBucketNotification
- PutBucketNotificationConfiguration
- PutBucketPolicy
- PutBucketPublicAccessBlock
- PutBucketReplication
- PutBucketRequestPayment
- PutBucketTagging
- PutBucketVersioning
- PutBucketWebsite
- PutEncryptionConfiguration
- PutInventoryConfiguration
- PutLifecycleConfiguration
- PutMetricsConfiguration
- PutReplicationConfiguration
EC2
- AcceptVpcEndpointConnections
- AcceptVpcPeeringConnection
- AllocateAddress
- ApplySecurityGroupsToClientVpnTargetNetwork
- AssociateAddress
- AssociateRouteTable
- AssociateSubnetCidrBlock
- AssociateTransitGatewayRouteTable
- AssociateVpcCidrBlock
- AttachInternetGateway
- AttachNetworkInterface
- AuthorizeSecurityGroupEgress
- AuthorizeSecurityGroupIngress
- CreateCustomerGateway
- CreateEgressOnlyInternetGateway
- CreateInternetGateway
- CreateLocalGatewayRouteTableVpcAssociation
- CreateNatGateway
- CreateNetworkAcl
- CreateNetworkAclEntry
- CreateNetworkInterface
- CreateNetworkInterfacePermission
- CreateRoute
- CreateRouteTable
- CreateSecurityGroup
- CreateTransitGatewayRouteTable
- CreateVolumeCreateVpc
- CreateVpcEndpoint
- CreateVpcEndpointConnectionNotification
- CreateVpcEndpointServiceConfiguration
- CreateVpcPeeringConnection
- DeleteCustomerGateway
- DeleteEgressOnlyInternetGateway
- DeleteInternetGateway
- DeleteLocalGatewayRouteTableVpcAssociation
- DeleteNatGateway
- DeleteNetworkAcl
- DeleteNetworkAclEntry
- DeleteNetworkInterface
- DeleteNetworkInterfacePermission
- DeleteRoute
- DeleteRouteTable
- DeleteSecurityGroup
- DeleteTransitGatewayRoute
- DeleteTransitGatewayRouteTable
- DeleteVolume
- DeleteVpcEndpointConnectionNotification
- DeleteVpcEndpointServiceConfiguration
- DeleteVpcEndpoints
- DeleteVpcPeeringConnection
- DetachInternetGateway
- DetachNetworkInterface
- DisableTransitGatewayRouteTablePropagation
- DisassociateAddress
- DisassociateRouteTable
- DisassociateSubnetCidrBlock
- DisassociateTransitGatewayRouteTable
- DisassociateVpcCidrBlock
- EnableTransitGatewayRouteTablePropagation
- EnableVgwRoutePropagation
- ModifyInstanceAttribute
- ModifyNetworkInterfaceAttribute
- ModifyVpcAttribute
- ModifyVpcEndpoint
- ModifyVpcEndpointConnectionNotification
- ModifyVpcEndpointServiceConfiguration
- ModifyVpcEndpointServicePermission
- ModifyVpcPeeringConnectionOptions
- RebootInstances
- RejectVpcEndpointConnections
- RejectVpcPeeringConnection
- ReleaseAddress
- ReplaceNetworkAclAssociation
- ReplaceNetworkAclEntry
- ReplaceRouteTableAssociation
- ReplaceTransitGatewayRoute
- ResetNetworkInterfaceAttribute
- RevokeSecurityGroupEgress
- RevokeSecurityGroupIngress
- RunInstances
- StartInstances
- StopInstances
- TerminateInstances
Elasticloadbalancing
- ConfigureHealthCheck
- CreateLoadBalancer
- DeleteLoadBalancer
- EnableAvailabilityZonesForLoadBalancer
- ModifyLoadBalancerAttributes
- SetLoadBalancerListenerSSLCertificate
- SetLoadBalancerPoliciesForBackendServer
- SetLoadBalancerPoliciesOfListener
AutoScaling
- CreateAutoScalingGroup
- CreateLaunchConfiguration
- DeleteAutoScalingGroup
- DeleteLaunchConfiguration
- PutNotificationConfiguration
- ResumeProcesses
- SuspendProcesses
- UpdateAutoScalingGroup
CloudFormation
- CreateStack
- DeleteStack
- UpdateStack
IAM
- AddUserToGroup
- AttachGroupPolicy
- AttachRolePolicy
- AttachUserPolicy
- ChangePassword
- CreateAccessKey
- CreateAccountAlias
- CreateGroup
- CreateLoginProfile
- CreateOpenIDConnectProvider
- CreatePolicy
- CreatePolicyVersion
- CreateRole
- CreateSAMLProvider
- CreateServiceLinkedRole
- CreateServiceSpecificCredential
- CreateUser
- CreateVirtualMFADevice
- DeactivateMFADevice
- DeleteAccessKey
- DeleteAccountAlias
- DeleteAccountPasswordPolicy
- DeleteGroup
- DeleteGroupPolicy
- DeleteLoginProfile
- DeleteOpenIDConnectProvider
- DeletePolicy
- DeletePolicyVersion
- DeleteRole
- DeleteRolePermissionsBoundary
- DeleteRolePolicy
- DeleteSAMLProvider
- DeleteSSHPublicKey
- DeleteServerCertificate
- DeleteServiceLinkedRole
- DeleteServiceSpecificCredential
- DeleteSigningCertificate
- DeleteUser
- DeleteUserPermissionsBoundary
- DeleteUserPolicy
- DeleteVirtualMFADevice
- DetachGroupPolicy
- DetachRolePolicy
- DetachUserPolicy
- EnableMFADevice
- PutGroupPolicy
- PutRolePermissionsBoundary
- PutRolePolicy
- PutUserPermissionsBoundary
- PutUserPolicy
- RemoveClientIDFromOpenIDConnectProvider
- RemoveUserFromGroup
- ResetServiceSpecificCredential
- SetDefaultPolicyVersion
- UpdateAccessKey
- UpdateAccountPasswordPolicy
- UpdateAssumeRolePolicy
- UpdateGroup
- UpdateLoginProfile
- UpdateOpenIDConnectProviderThumbprint
- UpdateRoleUpdateRoleDescription
- UpdateSAMLProvider
- UpdateSSHPublicKey
- UpdateServerCertificate
- UpdateServiceSpecificCredential
- UpdateSigningCertificate
- UpdateUser
- UploadSSHPublicKey
- UploadServerCertificate
- UploadSigningCertificate
Dynamodb
- CreateTable
- DeleteTable
- TagResource
- UntagResource
- UpdateTable
RDS
- CopyDBClusterSnapshot
- CopyDBSnapshot
- CreateDBCluster
- CreateDBClusterSnapshot
- CreateDBInstance
- CreateDBSecurityGroup
- CreateDBSnapshot
- DeleteDBCluster
- DeleteDBClusterSnapshot
- DeleteDBInstance
- DeleteDBSecurityGroup
- DeleteDBSnapshot
- ModifyDBCluster
- ModifyDBInstance
- RemoveTagsFromResource
- RestoreDBClusterFromSnapshot
- RestoreDBClusterToPointInTime
- RestoreDBInstanceFromDBSnapshot
- RestoreDBInstanceToPointInTime
Lambda
- CreateFunction20150331
- DeleteFunction20150331
- EnableReplication20170630
- PublishVersion20150331
Cloudfront
-
CreateInvalidation
Organizations
- AcceptHandshake
- AttachPolicy
- CancelHandshake
- CreateAccount
- CreateOrganization
- CreateOrganizationalUnit
- CreatePolicy
- DeclineHandshake
- DeleteOrganization
- DeleteOrganizationalUnit
- DeletePolicy
- DetachPolicy
- DisableAWSServiceAccess
- DisablePolicyType
- EnableAWSServiceAccess
- EnableAllFeatures
- EnablePolicyType
- InviteAccountToOrganization
- LeaveOrganization
- MoveAccount
- RemoveAccountFromOrganization
- UpdateOrganizationalUnit
- UpdatePolicy
Config
- DeleteAggregationAuthorization
- DeleteConfigRule
- DeleteConfigurationAggregator
- DeleteConfigurationRecorder
- DeleteDeliveryChannel
- DeleteEvaluationResults
- DeletePendingAggregationRequest
- PutAggregationAuthorization
- PutConfigRule
- PutConfigurationAggregator
- PutConfigurationRecorder
- PutDeliveryChannel
- StartConfigRulesEvaluation
- StartConfigurationRecorder
- StopConfigurationRecorder
GuardDuty
- AcceptInvitation
- ArchiveFindings
- CreateDetector
- CreateIPSet
- CreateMembers
- CreateSampleFindings
- CreateThreatIntelSet
- DeclineInvitations
- DeleteDetector
- DeleteIPSet
- DeleteInvitations
- DeleteMembers
- DeleteThreatIntelSet
- DisassociateFromMasterAccount
- DisassociateMembers
- InviteMembers
- StartMonitoringMembers
- StopMonitoringMembers
- UnarchiveFindings
- UpdateDetector
- UpdateFindingsFeedback
- UpdateIPSet
- UpdateThreatIntelSet
CloudTrail
- AddTags
- CreateTrail
- DeleteTrail
- PutEventSelectors
- RemoveTags
- StartLogging
- StopLogging
- UpdateTrail
Route53domains
- DeleteTagsForDomain
- DisableDomainAutoRenew
- DisableDomainTransferLock
- EnableDomainAutoRenew
- EnableDomainTransferLock
- RegisterDomain
- RenewDomain
- ResendContactReachabilityEmail
- TransferDomain
- UpdateDomainContact
- UpdateDomainContactPrivacy
- UpdateDomainNameservers
- UpdateTagsForDomain
KMS
- CancelKeyDeletion
- CreateAlias
- CreateGrant
- CreateKey
- DeleteAlias
- DeleteImportedKeyMaterial
- DisableKey
- DisableKeyRotation
- EnableKey
- EnableKeyRotation
- GenerateRandom
- ImportKeyMaterial
- PutKeyPolicy
- RetireGrant
- RevokeGrant
- ScheduleKeyDeletion
- TagResource
- UntagResource
- UpdateAlias
- UpdateKeyDescription
Route53
- AssociateVPCWithHostedZone
- ChangeResourceRecordSets
- ChangeTagsForResource
- CreateHealthCheck
- CreateHostedZone
- CreateQueryLoggingConfig
- CreateReusableDelegationSet
- CreateTrafficPolicy
- CreateTrafficPolicyInstance
- CreateTrafficPolicyVersion
- CreateVPCAssociationAuthorization
- DeleteHealthCheck
- DeleteHostedZone
- DeleteQueryLoggingConfig
- DeleteReusableDelegationSet
- DeleteTrafficPolicy
- DeleteTrafficPolicyInstance
- DeleteVPCAssociationAuthorization
- DisassociateVPCFromHostedZone
- UpdateHealthCheck
- UpdateHostedZoneComment
- UpdateTrafficPolicyComment
- UpdateTrafficPolicyInstance
STS
- AssumeRole
- AssumeRoleWithSAML
- AssumeRoleWithWebIdentity