Updated on January 9, 2024

FAQs to setup UEBA for AWS

FAQs to setup UEBA for AWS

The following topic covers frequently asked questions and common scenarios when setting up the CloudTrail feature for AWS.

Setting up or modifying an AWS Instance with CloudTrail and Data Protection enabled

The following sections cover various scenarios for setting up or modifying an AWS instance that has CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) features enabled.

Onboarding a new AWS instance with CloudTrail and Data Protection enabled

When you onboard a new AWS instance with both CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) features, the CFT aws-instance-setup.yml creates a new stack, NetskopeCloudTrailStack and a trail with a similar name.

The following table covers different onboarding scenarios and provides additional steps required to set up CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) on a new AWS instance. Perform these steps after you’ve setup UEBA for AWS.

New instance setupWhat to do after setup?
  • Logging enabled for all buckets
  • Scanning enabled for all buckets
Edit the trail, NetskopeCloudTrailStack… created by the CloudTrail feature and enable Data Events for all buckets.
  • Logging enabled for all buckets
  • Scanning enabled for specific buckets
  1. Edit the trail, NetskopeCloudTrailStack… created by the CloudTrail feature and enable Data Events for all buckets.
  2. Create API Data Protection DLP and Threat Protection policies for buckets that have scanning enabled.
  • Logging enabled for specific buckets
  • Scanning enabled for specific buckets
In this scenario, there are no buckets in common between CloudTrail and Data Protection features.
  1. Edit the trail, NetskopeCloudTrailStack… created by the CloudTrail feature and enable Data Events for specific buckets.
  2. Create a new trail for the Data Protection features and enable Data Events for buckets that have scanning enabled.
  3. Modify API Data Protection DLP and Threat Protection policies so that you do not receive notifications from buckets that are not enabled for scanning.
Editing an existing AWS instance to enable CloudTrail

When you onboard an AWS instance with DLP Scan and /or Threat Protection (Malware Scan) features, the CFT aws-instance-setup.yml creates a stack called NetskopeStack. After the instance is created, you must create a new cloud trail in all the regions of the AWS account.

Later, when you want to edit this instance to enable the CloudTrail feature, the new CFT aws-instance-setup.yml creates a new stack, NetskopeCloudTrailStack and a trail with a similar name.

The following table covers different editing scenarios and provides additional steps required to edit instances that have CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) features enabled.

Existing instanceEdit scenariosWhat to do?
Scanning enabled for all bucketsTo enable logging for all buckets
  1. Edit the trail you created for the Data Protection features and disable Data Events for all buckets.
  2. Edit the trail, NetskopeCloudTrailStack… created by the CloudTrail feature and enable Data Events for all buckets.
Scanning enabled for specific bucketsTo enable logging for all buckets
  1. Edit the trail you created for the Data Protection features and disable Data Events for all buckets.
  2. Edit the trail, NetskopeCloudTrailStack… created by the CloudTrail feature and enable Data Events for all buckets.
  3. Modify API Data Protection DLP and Threat Protection policies so that you do not receive notifications from buckets that are not enabled for scanning.
Scanning enabled for specific bucketsTo enable logging for specific bucketsIn this case, there are no buckets in common between CloudTrail and Data Protection features.
  1. Edit the trail, NetskopeCloudTrailStack… created by the CloudTrail feature and enable Data Events for specific buckets.
  2. Modify API Data Protection DLP and Threat Protection policies so that you do not receive notifications from buckets that are not enabled for scanning.
Disable CloudTrail from an existing AWS instance with Data Protection enabled

When you onboard an AWS instance with DLP Scan and /or Threat Protection (Malware Scan) features only, the CFT aws-instance-setup.yml creates a stack called NetskopeStack. After the instance is created, you must create a new cloud trail in all the regions of the AWS account. Later, when you want to edit this instance to enable the CloudTrail feature, the new CFT aws-instance-setup.yml creates a new stack, NetskopeCloudTrailStack and a trail with a similar name.

When you onboard an AWS instance with both CloudTrail and, DLP Scan and /or Threat Protection (Malware Scan) features, the CFT aws-instance-setup.yml creates only one stack, NetskopeCloudTrailStack and a trail with a similar name.

The following table covers different scenarios to disable CloudTrail from an existing AWS instance while keeping DLP Scan and /or Threat Protection (Malware Scan) enabled.

Existing instanceWhat to do to disable CloudTrail only?
  • Logging enabled for all buckets
  • Scanning enabled for all buckets
Choose one of the following based on how this instance was onboarded.
  • If the instance was onboarded with Data Protection features only and later edited to include CloudTrail, then you must edit the trail you created for the Data Protection features and enable Data Events for all buckets.
  • If the instance was onboarded with both CloudTrail and Data Protection features, then you must do the following,
    1. Create a new cloud trail in all the regions of the AWS account and enable Data Events for all buckets.
    2. Delete the NetskopeCloudTrailStack stack.
  • Logging enabled for all buckets
  • Scanning enabled for specific buckets
Choose one of the following based on how this instance was onboarded.
  • If the instance was onboarded with Data Protection features only and later edited to include CloudTrail, then you must do the following,
    1. Edit the trail you created for the Data Protection features and enable Data Events for all buckets.
    2. Delete the NetskopeCloudTrailStack stack.
  • If the instance was onboarded with both CloudTrail and Data Protection features, then you must do the following,
    1. Create a new cloud trail in all the regions of the AWS account and enable Data Events for all buckets.
    2. Delete the NetskopeCloudTrailStack stack.
  • Logging enabled for specific buckets
  • Scanning enabled for specific buckets
In this scenario, there are no buckets in common between CloudTrail and Data Protection features.		Keep the NetskopeStack stack and the trail you created for the Data Protection features. Delete the NetskopeCloudTrailStack stack.
  • Logging enabled for specific buckets
  • Scanning enabled for specific buckets
In this scenario, there are common buckets between CloudTrail and Data Protection features.		Keep the NetskopeStack stack and the trail you created for the Data Protection features. Delete the NetskopeCloudTrailStack stack.
Share this Doc

FAQs to setup UEBA for AWS

Or copy link

In this topic ...