☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • Steps to Create an Alarm for a Log Anomaly Detector:
  • Tips and Recommendations:
  1. CloudWatch
  2. Amazon CloudWatch
  3. Anomaly Detection

Alarms for Anomaly Detections

Overview

CloudWatch allows you to create alarms on log anomaly detectors to monitor log groups for anomalies. These alarms trigger actions based on the number and priority of detected anomalies during a specified time.

Steps to Create an Alarm for a Log Anomaly Detector:

  1. Access the CloudWatch Console:

    • Go to https://console.aws.amazon.com/cloudwatch/.

    • Navigate to Logs > Log Anomalies.

  2. Select the Anomaly Detector:

    • Choose the radio button for the anomaly detector you want to monitor.

    • Click Create alarm.

  3. Configure Alarm Settings:

    • Priority Filters (Optional):

      • Use HIGH to trigger only on high-priority anomalies.

      • Use MEDIUM to trigger on high- and medium-priority anomalies.

    • Threshold Type:

      • Choose Static (a fixed value) or Anomaly detection (CloudWatch-calculated threshold).

  4. Set Alarm Conditions:

    • Define how the alarm triggers (e.g., greater than, lower than).

    • Set the period (time frame) for evaluating anomalies.

  5. Additional Configuration:

    • Datapoints to Alarm:

      • Specify how many consecutive periods must breach the threshold to trigger the alarm.

      • Create M out of N alarms by setting the first value (M) lower than the second (N).

    • Missing Data Treatment:

      • Configure how the alarm behaves when data points are missing.

  6. Set Notifications (Optional):

    • Add Amazon SNS notifications for ALARM, OK, or INSUFFICIENT_DATA states.

    • (Optional) Configure actions for Auto Scaling, EC2, or Systems Manager when the alarm triggers.

  7. Name and Describe the Alarm:

    • Enter a name and description (supports markdown for adding runbook links or internal resources).

  8. Review and Create the Alarm:

    • Confirm the alarm configuration and click Create alarm.

Tips and Recommendations:

  • Set the alarm to notify on INSUFFICIENT_DATA state to capture potential Lambda or data source issues.

  • Use Systems Manager actions only for alarms in the ALARM state.

PreviousCreate Anomaly DetectorNextCloudWatch Filter Syntax

Last updated 8 months ago