Views:

About Monitoring Dashboard

The Monitoring Dashboard provides an in-depth record of all events in an AWS account. Each event is categorized by time of the event, event details, identity of the user who performed the event, and the account on which the event occurred. You can also filter events on the basis of Trend Vision One™ – Cloud Posture events, AWS events, regions, and services. Use this dashboard to monitor any unusual activity such as changes to security groups, increased permission levels for users, access to your AWS account from an unfamiliar country etc., and take remedial actions if necessary.
filter-monitoring-ut.png
{.zoom}
When reviewing RTPM events, you may want to reconfigure a rule, resolve the failed check, or review details to identify or reduce security vulnerabilities. On expanding an event, you will be provided with the following options:
  1. Event / Check details - Information on events, checks, and their associated resource types and services
  2. Configure rule - adjust the behavior of rules to meet your organisation's needs
  3. Resolve - take remediation steps to reduce security vulnerabilities
monitoring-dashboard.png

Troubleshooting

False positives

Problem: The Rule RTPM-005 - Users signed in to AWS from an approved country returns a false positive.
Solution: One of the reasons you may encounter this issue is that Cloud Posture Scan identifies the user's sign-in location based on their IP address rather than their actual physical location.
For example, you have added Germany to the list of approved countries but the Cloud Posture Scan detects the user's sign-in location as Switzerland returning a failure (False positive).
The discrepancy comes from the way Internet IP addresses are allocated.
Follow these steps to diagnose and resolve this problem
  1. Check the user’s location based on their IP address by using any of the following sites:
    1. https://tools.keycdn.com/geo
    2. https://www.ip2location.com/demo
    3. https://dnschecker.org/ip-location.php
  2. If the IP location matches what the Cloud Posture Scan detected then the rule is working as expected. This can also occur when connecting using a corporate VPN which hides the user's actual sign-in IP address and location.
  3. If the IP location comes back as different from the one detected by Cloud Posture Scan, please contact Customer Success who can investigate the issue further.

Missing AWS Events

Problem: I have activated RTPM for my organization, but some AWS events are not being picked by the activity bot.
Solution:
  1. Ensure that you have installed the eventBus so that RTPM can pickup events from every region.
  2. Check the list RTPM supported events below.
Any AWS event missing from the list below is not supported by RTPM, it's monitored with your scheduled Cloud Posture Scan run and will be sent for Auto-Remediation after being picked up in the scan.
Event Type
Events
S3
  • CreateBucket
  • DeleteBucket
  • DeleteBucketCORS
  • DeleteBucketLifecycle
  • DeleteBucketPolicy
  • DeleteBucketReplication
  • DeleteBucketTagging
  • DeleteBucketWebsite
  • PutAccelerateConfiguration
  • PutAccountPublicAccessBlock
  • PutAnalyticsConfiguration
  • PutBucketAccelerateConfiguration
  • PutBucketAclPutBucketCORS
  • PutBucketEncryption
  • PutBucketLifecycle
  • PutBucketLifecycleConfiguration
  • PutBucketLogging
  • PutBucketNotification
  • PutBucketNotificationConfiguration
  • PutBucketPolicy
  • PutBucketPublicAccessBlock
  • PutBucketReplication
  • PutBucketRequestPayment
  • PutBucketTagging
  • PutBucketVersioning
  • PutBucketWebsite
  • PutEncryptionConfiguration
  • PutInventoryConfiguration
  • PutLifecycleConfiguration
  • PutMetricsConfiguration
  • PutReplicationConfiguration
EC2
  • AcceptVpcEndpointConnections
  • AcceptVpcPeeringConnection
  • AllocateAddress
  • ApplySecurityGroupsToClientVpnTargetNetwork
  • AssociateAddress
  • AssociateRouteTable
  • AssociateSubnetCidrBlock
  • AssociateTransitGatewayRouteTable
  • AssociateVpcCidrBlock
  • AttachInternetGateway
  • AttachNetworkInterface
  • AuthorizeSecurityGroupEgress
  • AuthorizeSecurityGroupIngress
  • CreateCustomerGateway
  • CreateEgressOnlyInternetGateway
  • CreateInternetGateway
  • CreateLocalGatewayRouteTableVpcAssociation
  • CreateNatGateway
  • CreateNetworkAcl
  • CreateNetworkAclEntry
  • CreateNetworkInterface
  • CreateNetworkInterfacePermission
  • CreateRoute
  • CreateRouteTable
  • CreateSecurityGroup
  • CreateTransitGatewayRouteTable
  • CreateVolume
  • CreateVpc
  • CreateVpcEndpoint
  • CreateVpcEndpointConnectionNotification
  • CreateVpcEndpointServiceConfiguration
  • CreateVpcPeeringConnection
  • DeleteCustomerGateway
  • DeleteEgressOnlyInternetGateway
  • DeleteInternetGateway
  • DeleteLocalGatewayRouteTableVpcAssociation
  • DeleteNatGateway
  • DeleteNetworkAcl
  • DeleteNetworkAclEntry
  • DeleteNetworkInterface
  • DeleteNetworkInterfacePermission
  • DeleteRoute
  • DeleteRouteTable
  • DeleteSecurityGroup
  • DeleteTransitGatewayRoute
  • DeleteTransitGatewayRouteTable
  • DeleteVolume
  • DeleteVpcEndpointConnectionNotification
  • DeleteVpcEndpointServiceConfiguration
  • DeleteVpcEndpoints
  • DeleteVpcPeeringConnection
  • DetachInternetGateway
  • DetachNetworkInterface
  • DisableTransitGatewayRouteTablePropagation
  • DisassociateAddress
  • DisassociateRouteTable
  • DisassociateSubnetCidrBlock
  • DisassociateTransitGatewayRouteTable
  • DisassociateVpcCidrBlock
  • EnableTransitGatewayRouteTablePropagation
  • EnableVgwRoutePropagation
  • ModifyInstanceAttribute
  • ModifyNetworkInterfaceAttribute
  • ModifyVpcAttribute
  • ModifyVpcEndpoint
  • ModifyVpcEndpointConnectionNotification
  • ModifyVpcEndpointServiceConfiguration
  • ModifyVpcEndpointServicePermission
  • ModifyVpcPeeringConnectionOptions
  • RebootInstances
  • RejectVpcEndpointConnections
  • RejectVpcPeeringConnection
  • ReleaseAddress
  • ReplaceNetworkAclAssociation
  • ReplaceNetworkAclEntry
  • ReplaceRouteTableAssociation
  • ReplaceTransitGatewayRoute
  • ResetNetworkInterfaceAttribute
  • RevokeSecurityGroupEgress
  • RevokeSecurityGroupIngress
  • RunInstances
  • StartInstances
  • StopInstances
  • TerminateInstances
Elasticloadbalancing
  • ConfigureHealthCheck
  • CreateLoadBalancer
  • DeleteLoadBalancer
  • EnableAvailabilityZonesForLoadBalancer
  • ModifyLoadBalancerAttributes
  • SetLoadBalancerListenerSSLCertificate
  • SetLoadBalancerPoliciesForBackendServer
  • SetLoadBalancerPoliciesOfListener
AutoScaling
  • CreateAutoScalingGroup
  • CreateLaunchConfiguration
  • DeleteAutoScalingGroup
  • DeleteLaunchConfiguration
  • PutNotificationConfiguration
  • ResumeProcesses
  • SuspendProcesses
  • UpdateAutoScalingGroup
CloudFormation
  • CreateStack
  • DeleteStack
  • UpdateStack
IAM
  • AddUserToGroup
  • AttachGroupPolicy
  • AttachRolePolicy
  • AttachUserPolicy
  • ChangePassword
  • CreateAccessKey
  • CreateAccountAlias
  • CreateGroup
  • CreateLoginProfile
  • CreateOpenID
  • ConnectProvider
  • CreatePolicy
  • CreatePolicyVersion
  • CreateRole
  • CreateSAMLProvider
  • CreateServiceLinkedRole
  • CreateServiceSpecificCredential
  • CreateUser
  • CreateVirtualMFADevice
  • DeactivateMFADevice
  • DeleteAccessKey
  • DeleteAccountAlias
  • DeleteAccountPasswordPolicy
  • DeleteGroup
  • DeleteGroupPolicy
  • DeleteLoginProfile
  • DeleteOpenIDConnectProvider
  • DeletePolicy
  • DeletePolicyVersion
  • DeleteRole
  • DeleteRolePermissionsBoundary
  • DeleteRolePolicy
  • DeleteSAMLProvider
  • DeleteSSHPublicKey
  • DeleteServerCertificate
  • DeleteServiceLinkedRole
  • DeleteServiceSpecificCredential
  • DeleteSigningCertificate
  • DeleteUser
  • DeleteUserPermissionsBoundary
  • DeleteUserPolicy
  • DeleteVirtualMFADevice
  • DetachGroupPolicy
  • DetachRolePolicy
  • DetachUserPolicy
  • EnableMFADevice
  • PutGroupPolicy
  • PutRolePermissionsBoundary
  • PutRolePolicy
  • PutUserPermissionsBoundary
  • PutUserPolicy
  • RemoveClientIDFromOpenIDConnectProvider
  • RemoveUserFromGroup
  • ResetServiceSpecificCredential
  • SetDefaultPolicyVersion
  • UpdateAccessKey
  • UpdateAccountPasswordPolicy
  • UpdateAssumeRolePolicy
  • UpdateGroup
  • UpdateLoginProfile
  • UpdateOpenIDConnectProviderThumbprint
  • UpdateRole
  • UpdateRoleDescription
  • UpdateSAMLProvider
  • UpdateSSHPublicKey
  • UpdateServerCertificate
  • UpdateServiceSpecificCredential
  • UpdateSigningCertificate
  • UpdateUser
  • UploadSSHPublicKey
  • UploadServerCertificate
  • UploadSigningCertificate
Dynamodb
  • CreateTable
  • DeleteTable
  • TagResource
  • UntagResource
  • UpdateTable
RDS
  • CopyDBClusterSnapshot
  • CopyDBSnapshot
  • CreateDBCluster
  • CreateDBClusterSnapshot
  • CreateDBInstance
  • CreateDBSecurityGroup
  • CreateDBSnapshot
  • DeleteDBCluster
  • DeleteDBClusterSnapshot
  • DeleteDBInstance
  • DeleteDBSecurityGroup
  • DeleteDBSnapshot
  • ModifyDBCluster
  • ModifyDBInstance
  • RemoveTagsFromResource
  • RestoreDBClusterFromSnapshot
  • RestoreDBClusterToPointInTime
  • RestoreDBInstanceFromDBSnapshot
  • RestoreDBInstanceToPointInTime
Lambda
  • CreateFunction20150331
  • DeleteFunction20150331
  • EnableReplication20170630
  • PublishVersion20150331
Cloudfront
  • CreateInvalidation
  
Organizations
  • AcceptHandshake
  • AttachPolicy
  • CancelHandshake
  • CreateAccount
  • CreateOrganization
  • CreateOrganizationalUnit
  • CreatePolicy
  • DeclineHandshake
  • DeleteOrganization
  • DeleteOrganizationalUnit
  • DeletePolicy
  • DetachPolicy
  • DisableAWSServiceAccess
  • DisablePolicyType
  • EnableAWSServiceAccess
  • EnableAllFeatures
  • EnablePolicyType
  • InviteAccountToOrganization
  • LeaveOrganization
  • MoveAccount
  • RemoveAccountFromOrganization
  • UpdateOrganizationalUnit
  • UpdatePolicy
Config
  • DeleteAggregationAuthorization
  • DeleteConfigRule
  • DeleteConfigurationAggregator
  • DeleteConfigurationRecorder
  • DeleteDeliveryChannel
  • DeleteEvaluationResults
  • DeletePendingAggregationRequest
  • PutAggregationAuthorization
  • PutConfigRule
  • PutConfigurationAggregator
  • PutConfigurationRecorder
  • PutDeliveryChannel
  • StartConfigRulesEvaluation
  • StartConfigurationRecorder
  • StopConfigurationRecorder
GuardDuty
  • AcceptInvitation
  • ArchiveFindings
  • CreateDetector
  • CreateIPSet
  • CreateMembers
  • CreateSampleFindings
  • CreateThreatIntelSet
  • DeclineInvitations
  • DeleteDetector
  • DeleteIPSet
  • DeleteInvitations
  • DeleteMembers
  • DeleteThreatIntelSet
  • DisassociateFromMasterAccount
  • DisassociateMembers
  • InviteMembers
  • StaRTPMonitoringMembers
  • StopMonitoringMembers
  • UnarchiveFindings
  • UpdateDetector
  • UpdateFindingsFeedback
  • UpdateIPSet
  • UpdateThreatIntelSet
CloudTrail
  • AddTags
  • CreateTrail
  • DeleteTrail
  • PutEventSelectors
  • RemoveTags
  • StartLogging
  • StopLogging
  • UpdateTrail
Route53domains
  • DeleteTagsForDomain
  • DisableDomainAutoRenew
  • DisableDomainTransferLock
  • EnableDomainAutoRenew
  • EnableDomainTransferLock
  • RegisterDomain
  • RenewDomain
  • ResendContactReachabilityEmail
  • TransferDomain
  • UpdateDomainContact
  • UpdateDomainContactPrivacy
  • UpdateDomainNameservers
  • UpdateTagsForDomain
KMS
  • CancelKeyDeletion
  • CreateAlias
  • CreateGrant
  • CreateKey
  • DeleteAlias
  • DeleteImportedKeyMaterial
  • DisableKey
  • DisableKeyRotation
  • EnableKey
  • EnableKeyRotation
  • GenerateRandom
  • ImportKeyMaterial
  • PutKeyPolicy
  • RetireGrant
  • RevokeGrant
  • ScheduleKeyDeletion
  • TagResource
  • UntagResource
  • UpdateAlias
  • UpdateKeyDescription
Route53
  • AssociateVPCWithHostedZone
  • ChangeResourceRecordSets
  • ChangeTagsForResource
  • CreateHealthCheck
  • CreateHostedZone
  • CreateQueryLoggingConfig
  • CreateReusableDelegationSet
  • CreateTrafficPolicy
  • CreateTrafficPolicyInstance
  • CreateTrafficPolicyVersion
  • CreateVPCAssociationAuthorization
  • DeleteHealthCheck
  • DeleteHostedZone
  • DeleteQueryLoggingConfig
  • DeleteReusableDelegationSet
  • DeleteTrafficPolicy
  • DeleteTrafficPolicyInstance
  • DeleteVPCAssociationAuthorization
  • DisassociateVPCFromHostedZone
  • UpdateHealthCheck
  • UpdateHostedZoneComment
  • UpdateTrafficPolicyComment
  • UpdateTrafficPolicyInstance
STS
  • AssumeRole
  • AssumeRoleWithSAML
  • AssumeRoleWithWebIdentity