Merge pull request #199 from SumoLogic/fy25q2awso

AWSO v2.9.0

Author: himsharma01

.github/workflows/cf-test.yml

@@ -14,7 +14,7 @@ jobs:
 
       - name: Print the Cloud Formation Linter Version & run Linter.
         run: |
-          cfn-lint aws-observability/**/*.yaml --ignore-templates aws-observability/**/*TestTemplate.yaml
+          cfn-lint aws-observability/**/*.yaml --ignore-templates aws-observability/**/*TestTemplate.yaml --ignore-checks W3011
 
   CFSecurityChecksCheckovt:
     name: "Security Checks (checkov)"

aws-observability-terraform/README.md

@@ -5,14 +5,14 @@
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.16.2, < 6.0.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.0 |
-| <a name="requirement_sumologic"></a> [sumologic](#requirement\_sumologic) | >= 2.28.3, < 3.0.0 |
+| <a name="requirement_sumologic"></a> [sumologic](#requirement\_sumologic) | >= 2.31.0, < 3.0.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.11.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_sumologic"></a> [sumologic](#provider\_sumologic) | 2.28.3 |
+| <a name="provider_sumologic"></a> [sumologic](#provider\_sumologic) | 2.31.0 |
 | <a name="provider_time"></a> [time](#provider\_time) | 0.11.1 |
 
 ## Modules

aws-observability-terraform/app-modules/README.md

@@ -4,13 +4,13 @@
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.1 |
-| <a name="requirement_sumologic"></a> [sumologic](#requirement\_sumologic) | >= 2.28.3, < 3.0.0 |
+| <a name="requirement_sumologic"></a> [sumologic](#requirement\_sumologic) | >= 2.31.0, < 3.0.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_sumologic"></a> [sumologic](#provider\_sumologic) | >= 2.28.3, < 3.0.0 |
+| <a name="provider_sumologic"></a> [sumologic](#provider\_sumologic) | >= 2.31.0, < 3.0.0 |
 | <a name="provider_time"></a> [time](#provider\_time) | n/a |
 
 ## Modules

aws-observability-terraform/app-modules/rds/app.tf

@@ -519,6 +519,74 @@ module "rds_module" {
       group_notifications      = var.group_notifications
       connection_notifications = var.connection_notifications
       email_notifications      = var.email_notifications
+    },
+    "RdsMSSQLHighAuthFailureByClientIPsOnDB" = {
+      monitor_name         = "Amazon RDS MSSQL - Database observing authentication failures from multiple client IPs"
+      monitor_description  = "This alert fires when we detect more than or equal to 10 client IPs attempting authentication failures on the database over a 15-minute period."
+      monitor_monitor_type = "Logs"
+      monitor_parent_id    = var.monitor_folder_id
+      monitor_is_disabled  = var.monitors_disabled
+      monitor_evaluation_delay = "0m"
+      queries = {
+        A = "account=* region=* namespace=aws/rds dbidentifier=* _sourceHost=/aws/rds/*Error Logon Login failed for user\n| json \"message\" nodrop | if (_raw matches \"{*\", message, _raw) as message\n| parse field=message \"* Logon       Login failed for user '*'. Reason: * [CLIENT: *]\" as time, user, reason, client_ip\n| count_distinct(client_ip) as unique_client_ip by dbidentifier\n| 10 as threshold\n| where unique_client_ip >= threshold\n| sort by unique_client_ip\n| fields - threshold"
+      }
+      triggers = [
+        {
+          detection_method = "LogsStaticCondition",
+          time_range       = "-15m",
+          trigger_type     = "Critical",
+          threshold        = 1,
+          threshold_type   = "GreaterThanOrEqual",
+          occurrence_type  = "ResultCount",
+          trigger_source   = "AllResults"
+        },
+        {
+          detection_method = "LogsStaticCondition",
+          time_range       = "-15m",
+          trigger_type     = "ResolvedCritical",
+          threshold        = 1,
+          threshold_type   = "LessThan",
+          occurrence_type  = "ResultCount",
+          trigger_source   = "AllResults"
+        }
+      ]
+      group_notifications      = var.group_notifications
+      connection_notifications = var.connection_notifications
+      email_notifications      = var.email_notifications
+    },
+    "RdsMSSQLHighAuthFailureByClientIPOnDBs" = {
+      monitor_name         = "Amazon RDS MSSQL - Authentication failures from the same client IP on multiple databases"
+      monitor_description  = "This alert fires when we detect specific client IP attempting authentication failures on more than or equal to 10 databases over a 15 minute time-period."
+      monitor_monitor_type = "Logs"
+      monitor_parent_id    = var.monitor_folder_id
+      monitor_is_disabled  = var.monitors_disabled
+      monitor_evaluation_delay = "0m"
+      queries = {
+        A = "account=* region=* namespace=aws/rds dbidentifier=* _sourceHost=/aws/rds/*Error Logon Login failed for user\n| json \"message\" nodrop | if (_raw matches \"{*\", message, _raw) as message\n| parse field=message \"* Logon Login failed for user '*'. Reason: * [CLIENT: *]\" as time, user, reason, client_ip\n| count_distinct(dbidentifier) as unique_db by client_ip\n| 10 as threshold\n| where unique_db >= threshold\n| sort by unique_db, client_ip asc\n| fields - threshold"
+      }
+      triggers = [
+        {
+          detection_method = "LogsStaticCondition",
+          time_range       = "-15m",
+          trigger_type     = "Critical",
+          threshold        = 1,
+          threshold_type   = "GreaterThanOrEqual",
+          occurrence_type  = "ResultCount",
+          trigger_source   = "AllResults"
+        },
+        {
+          detection_method = "LogsStaticCondition",
+          time_range       = "-15m",
+          trigger_type     = "ResolvedCritical",
+          threshold        = 1,
+          threshold_type   = "LessThan",
+          occurrence_type  = "ResultCount",
+          trigger_source   = "AllResults"
+        }
+      ]
+      group_notifications      = var.group_notifications
+      connection_notifications = var.connection_notifications
+      email_notifications      = var.email_notifications
     }
   }
 }

aws-observability-terraform/app-modules/versions.tf

@@ -7,7 +7,7 @@ terraform {
       version = ">= 2.1"
     }
     sumologic = {
-      version = ">= 2.28.3, < 3.0.0"
+      version = ">= 2.31.0, < 3.0.0"
       source  = "SumoLogic/sumologic"
     }
   }

aws-observability-terraform/cloudformation-module/versions.tf

@@ -9,7 +9,7 @@ terraform {
       version = "~> 2.1"
     }
     sumologic = {
-      version = "~> 2.6.2"
+      version = ">= 2.31.0, < 3.0.0"
       source  = "SumoLogic/sumologic"
     }
   }

aws-observability-terraform/examples/appmodule/README.md

@@ -5,14 +5,14 @@
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.42.0, < 4.0.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.0 |
-| <a name="requirement_sumologic"></a> [sumologic](#requirement\_sumologic) | >= 2.28.3, < 3.0.0 |
+| <a name="requirement_sumologic"></a> [sumologic](#requirement\_sumologic) | >= 2.31.0, < 3.0.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.11.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_sumologic"></a> [sumologic](#provider\_sumologic) | >= 2.28.3, < 3.0.0 |
+| <a name="provider_sumologic"></a> [sumologic](#provider\_sumologic) | >= 2.31.0, < 3.0.0 |
 | <a name="provider_time"></a> [time](#provider\_time) | >= 0.11.1 |
 
 ## Modules

aws-observability-terraform/examples/appmodule/versions.tf

@@ -7,7 +7,7 @@ terraform {
       version = ">= 5.16.2, < 6.0.0"
     }
     sumologic = {
-      version = ">= 2.28.3, < 3.0.0"
+      version = ">= 2.31.0, < 3.0.0"
       source  = "SumoLogic/sumologic"
     }
     time = {

aws-observability-terraform/examples/sourcemodule/overrideSources/README.md

@@ -5,14 +5,14 @@
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.42.0, < 4.0.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.1.0 |
-| <a name="requirement_sumologic"></a> [sumologic](#requirement\_sumologic) | >= 2.28.3, < 3.0.0 |
+| <a name="requirement_sumologic"></a> [sumologic](#requirement\_sumologic) | >= 2.31.0, < 3.0.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.11.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_sumologic"></a> [sumologic](#provider\_sumologic) | >= 2.28.3, < 3.0.0 |
+| <a name="provider_sumologic"></a> [sumologic](#provider\_sumologic) | >= 2.31.0, < 3.0.0 |
 | <a name="provider_time"></a> [time](#provider\_time) | >= 0.11.1 |
 
 ## Modules

aws-observability-terraform/examples/sourcemodule/overrideSources/versions.tf

@@ -7,7 +7,7 @@ terraform {
       version = ">= 5.16.2, < 6.0.0"
     }
     sumologic = {
-      version = ">= 2.28.3, < 3.0.0"
+      version = ">= 2.31.0, < 3.0.0"
       source  = "SumoLogic/sumologic"
     }
     time = {