Collect Amazon CloudFront logs

Supported in:

Google SecOps SIEM

This document describes how you can collect Amazon CloudFront logs by setting up a Google Security Operations feed.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the AWS_CLOUDFRONT ingestion label.

Before you begin

Ensure that the Amazon S3 bucket is created. For more information, see Create your first S3 bucket.

Configure Amazon CloudFront

Sign in to the AWS Management console.
Access the Amazon S3 console, and create the Amazon S3 bucket.
To enable logging, select On.
In the Bucket for logs field, specify the Amazon S3 bucket name.
In the Log prefix field, specify an optional prefix.
After the logs files are stored in the Amazon S3 bucket, create an SQS queue and attach it with the Amazon S3 bucket.

Identify the endpoints for connectivity

Check the required IAM user and KMS key policies for S3, SQS, and KMS.

Based on the service and region, identify the endpoints for connectivity by referring to the following AWS documentation:

For information about any logging sources, see AWS Identity and Access Management endpoints and quotas.
For information about S3 logging sources, see Amazon Simple Storage Service endpoints and quotas.
For information about SQS logging sources, see Amazon Simple Queue Service endpoints and quotas.

Configure a feed in Google Security Operations to ingest the Amazon CloudFront logs

In the Google Security Operations menu, select Settings > Feeds > Add new.
In the Feed name field, enter a unique name for the feed.
Select Amazon S3 or Amazon SQS as the Source type.
To create a feed for Amazon CloudFront, select CloudFront as the Log type.
Click Next.
Google Security Operations supports log collection using access key ID and secret method. To create access key ID and secret, see Configure tool authentication with AWS.
Based on the Amazon CloudFront configuration that you created, specify values for the following fields.
- If you use Amazon S3, specify values for the following fields:
  - Region
  - S3 URI
  - URI is a
  - Source deletion option
- If you use Amazon SQS, specify values for the following fields:
  - Region
  - Queue name
  - Account number
  - Queue access key ID
  - Queue secret access key
  - Source deletion option
Click Next and then click Submit.

To send the Amazon CloudFront logs to the Amazon S3 bucket, see Configure and use standard logs (access logs).

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser extracts fields from AWS CloudFront logs in either SYSLOG or JSON format, normalizing them into the UDM. It uses grok patterns to parse message strings, handles various data transformations (e.g., type conversions, renaming), and enriches the data with additional context like user agent parsing and application protocol identification.

UDM mapping table

Log Field	UDM Mapping	Logic
`c-ip`	`principal.ip`	Directly mapped. Also mapped to `principal.asset.ip`.
`c-port`	`principal.port`	Directly mapped.
`cs(Cookie)`	`additional.fields[].key`: "cookie" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if `cs(Cookie)` is present and `agent` does not contain "://".
`cs(Host)`	`principal.hostname`	Directly mapped. Also mapped to `principal.asset.hostname`. Used in constructing the `target.url` if other URL fields are not available.
`cs(Referer)`	`network.http.referral_url`	Directly mapped.
`cs(User-Agent)`	`network.http.user_agent`	Directly mapped. Also mapped to `network.http.parsed_user_agent` and parsed into its components if it does not contain "://".
`cs-bytes`	`network.sent_bytes`	Directly mapped. Converted to unsigned integer.
`cs-method`	`network.http.method`	Directly mapped.
`cs-protocol`	`network.application_protocol`	Mapped after converting to uppercase. If the value is not recognized as a standard application protocol and `cs-protocol-version` contains "HTTP", then `network.application_protocol` is set to "HTTP".
`dport`	`target.port`	Directly mapped. Converted to integer.
`edge_location`	`principal.location.name`	Directly mapped.
`fle-encrypted-fields`	`additional.fields[].key`: "fle-encrypted-fields" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`fle-status`	`additional.fields[].key`: "fle-status" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`host`	`principal.hostname`, `principal.asset.hostname`	Directly mapped.
`id`	`principal.asset_id`	Directly mapped with the prefix "id: ".
`ip`	`target.ip`, `target.asset.ip`	Directly mapped.
`log_id`	`metadata.product_log_id`	Directly mapped.
`resource`	`additional.fields[].key`: "resource" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`result_type`	`additional.fields[].key`: "result_type" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`sc-bytes`	`network.received_bytes`	Directly mapped. Converted to unsigned integer.
`sc-content-len`	`additional.fields[].key`: "sc-content-len" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`sc-content-type`	`additional.fields[].key`: "sc-content-type" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`sc-status`	`network.http.response_code`	Directly mapped. Converted to integer.
`ssl-cipher`	`network.tls.cipher`	Directly mapped.
`ssl-protocol`	`network.tls.version`	Directly mapped.
`timestamp`	`metadata.event_timestamp`	Parsed and mapped if available. Different formats are supported.
`ts`	`metadata.event_timestamp`	Parsed and mapped if available. ISO8601 format is expected.
`url`	`target.url`	Directly mapped.
`url_back_to_product`	`metadata.url_back_to_product`	Directly mapped.
`x-edge-detailed-result-type`	`additional.fields[].key`: "x-edge-detailed-result-type" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`x-edge-location`	`additional.fields[].key`: "x-edge-location" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`x-edge-request-id`	`additional.fields[].key`: "x-edge-request-id" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`x-edge-response-result-type`	`additional.fields[].key`: "x-edge-response-result-type" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`x-edge-result-type`	`additional.fields[].key`: "x-edge-result-type" `additional.fields[].value.string_value`: Directly mapped.	Conditionally mapped if present.
`x-forwarded-for`	`target.ip`, `target.asset.ip`	Directly mapped. If multiple IPs are present (comma-separated), they are split and merged into the respective UDM fields.
`x-host-header`	`target.hostname`, `target.asset.hostname`	Directly mapped. Set to "NETWORK_HTTP" if either `ip` or `x-forwarded-for` and `http_verb` are present. Otherwise, set to "GENERIC_EVENT". Hardcoded to "AWS_CLOUDFRONT". Hardcoded to "AWS CloudFront". Hardcoded to "AMAZON". The ingestion time of the log entry into Google Security Operations.