Analyzing AWS AppFabric logs with Notebooks and the Dynatrace Query Language (DQL)
When AWS AppFabric logs are ingested into Dynatrace AWS S3 Log Forwarder, log entries are enriched with a set of attributes that enable security analysts to easily query them for anomalous behavior. All AWS AppFabric SaaS audit log entries are automatically detected and enriched with the following attributes:
- aws.service: appfabric
- log.source: {saas_product_name}
- audit.identity: {email_address_of_the_user_performing_the_action}
- audit.action: {ocsf_normalized_action_category}
Dynatrace offers Notebooks, enabling organizations to create powerful, data-driven documents for custom analytics of logs, events, and metrics. Notebooks helps users understand and perform an in-depth analysis of AppFabric logs using Dynatrace’s query language called DQL.
After connecting your SaaS applications to AppFabric and choosing Dynatrace as your destination, you can analyze logs by adding a log explorer to Dynatrace’s Notebook. From the Dynatrace Notebook application, click on the + button and then select Explore logs. Then, customize the filters key to aws.service and the value to appfabric showing in figure 1.
With AppFabric now surfacing normalized logs in a Dynatrace Notebook, apply quantitative analysis to better understand the log data and events. Dynatrace Notebooks enable users to format the output in tables and graphs to visualize data at a glance. Configure the filters to:
fetch logs
| filter aws.service == "appfabric"
| summarize count(), by: {log.source}
In figure 2, a pie chart shows log events per SaaS application.
Set up alerts for suspicious user activity
AppFabric customers often ask for alerts if suspicious activity occurs across their SaaS applications. With AppFabric integration with Dynatrace Log Management analytics, customers can set up alerts based on the occurrence of specific log events.
In figure 3, example shows Dynatrace problem raised based on audit logs