Monitoring Dashboard

About Monitoring Dashboard

Troubleshooting

• Missing AWS Events
• False positives

About Monitoring Dashboard

The Monitoring Dashboard provides an in-depth record of all events in an AWS account. Each event is categorized by time of the event, event details, identity of the user who performed the event, and the account on which the event occurred. You can also filter events on the basis of Trend Micro Cloud One™ – Conformity events, AWS events, regions, and services. Use this dashboard to monitor any unusual activity such as changes to security groups, increased permission levels for users, access to your AWS account from an unfamiliar country etc., and take remedial actions if necessary.

When reviewing RTM events, you may want to reconfigure a rule, resolve the failed check, or review details to identify or reduce security vulnerabilities. On expanding an event, you will be provided with the following options:

1. Event / Check details - Information on events, checks, and their associated resource types and services
2. Configure rule - adjust the behavior of rules to meet your organisation's needs
3. Resolve - take remediation steps to reduce security vulnerabilities

Troubleshooting

False positives

Problem: The Rule RTM-005 - Users signed in to AWS from an approved country returns a false positive.

Solution: One of the reasons you may encounter this issue is that Conformity Bot identifies the user's sign-in location based on their IP address rather than their actual physical location.

For example, you have added Germany to the list of approved countries but the Conformity Bot detects the user's sign-in location as Switzerland returning a failure (False positive).

The discrepancy comes from the way Internet IP addresses are allocated.

Follow these steps to diagnose and resolve this problem

1. Check the user’s location based on their IP address by using any of the following sites:
   1. https://tools.keycdn.com/geo
   2. https://www.ip2location.com/demo
   3. https://dnschecker.org/ip-location.php
2. If the IP location matches what the Conformity Bot detected then the rule is working as expected. This can also occur when connecting using a corporate VPN which hides the user's actual sign-in IP address and location.
3. If the IP location comes back as different from the one detected by Conformity Bot, please contact Customer Success who can investigate the issue further.

Missing AWS Events

Problem: I have activated RTM for my organization, but some AWS events are not being picked by the activity bot.

Solution:

1. Ensure that you have installed the eventBus so that RTM can pickup events from every region.
2. Check the list RTM supported events below.

Any AWS event missing from the list below is not supported by RTM, it's monitored with your scheduled Conformity Bot run and will be sent for Auto-Remediation after being picked up in the scan.