☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • Key Elements of Metric Filters:
  • Important Considerations:
  • Creating and Managing Metric Filters:
  1. CloudWatch
  2. Amazon CloudWatch

CloudWatch Metrics

Overview

CloudWatch allows you to create metrics from log data by applying metric filters. These filters search for specific patterns in log events and convert matching events into numerical CloudWatch metrics, which can be graphed or monitored through alarms.

Key Elements of Metric Filters:

  1. Default Value:

    • Reports a value (e.g., 0) during periods when no matching logs are found.

    • Prevents gaps ("spotty" metrics) in the metric data.

  2. Dimensions:

    • Key-value pairs that further define the metric (e.g., Service:API).

    • Each unique dimension combination creates a new variation of the metric.

  3. Filter Pattern:

    • A pattern describing how CloudWatch should interpret the log data (e.g., matching "Error" or IP addresses).

    • This determines what log data should be converted into metrics.

  4. Metric Name & Namespace:

    • Metric Name: The name under which the metric will be published (e.g., ErrorCount).

    • Metric Namespace: The logical grouping for related metrics (e.g., AppMetrics).

  5. Metric Value:

    • The numerical value to report for each matching event (e.g., 1 for each occurrence of "Error" or byte count from log data).

Important Considerations:

  • No Retroactive Filtering:

    • Filters only apply to log events ingested after the filter is created.

    • Results include the first 50 lines but exclude entries with timestamps earlier than the metric creation time.

  • Log Classes:

    • Metric filters are available only for Standard log class log groups.

  • Percentile Statistics:

    • Only available for metrics with non-negative values.

    • Metrics reporting negative numbers will not support percentile-based statistics.

Creating and Managing Metric Filters:

  1. Create a Filter:

    • Define a filter pattern for the log data to monitor.

    • Specify the metric name, namespace, and dimensions.

  2. List or Delete Filters:

    • View active filters or delete them when no longer needed.

PreviousCloudWatch ConceptsNextFilter Pattern Syntax

Last updated 8 months ago