Amazon Security Lake collector
Overview
Amazon Security Lake is a service that automates the sourcing, aggregation, normalization, and data management of security data across your organization into a security data lake stored in your account. A security data lake helps make your organization’s security data broadly accessible to your preferred security analytics solutions to power use cases such as threat detection, investigation, and incident response.
Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service can normalize and combine security data from AWS and a broad range of enterprise security data sources.
Devo collector features
Feature | Details |
---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
|
Flattening preprocessing |
|
Allowed source events obfuscation |
|
Data sources
Data source | Description | API endpoint | Collector service name | Devo table | Available from release |
---|---|---|---|---|---|
Amazon Security Lake | Security Lake records (in OCSF format) | AWS S3 and SQS |
|
|
|
For more information on how the events are parsed, visit our page.
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.
Setting | Details |
---|---|
| Credentials |
| Credentials |
| AWS |
| AWS SQS |
Accepted authentication methods
Authentication method | AWS Access Key | AWS Secret Access Key |
---|---|---|
AWS access key/secret | Required | Required |
Vendor setup
For a detailed walk-through of enabling/configuring Security Lake and enabling/configuring Security Lake providers, see the Security Lake Getting Started Guide.
This guide assumes that you have created an account with the necessary permissions to access the SQS queue(s) and S3 bucket(s) that were created during the initial enablement of Amazon Security Lake.
Action | Steps |
---|---|
Obtain the credentials for the AWS Security Lake user. | Create and/or obtain the AWS access key and access key ID of the account that will be used to fetch the Security Lake SQS messages and S3 log files.Please refer to the Security Lake Getting Started Guide for more information on creating an administrative user. |
Add a Security Lake Subscriber |
|
Enter subscriber details. | - |
Choose to collect either all log and event sources or only specific log and event sources. | - |
Choose the S3 data access method. | - |
Set subscriber credentials. |
|
Select SQS Queue for Notification details. | - |
Choose Create to create the subscriber. | - |
Obtain the SQS queue name from the newly created subscriber details page. | - |
Assigning necessary permissions
The user must have already configured an instance of Amazon Security Lake. For general information and detailed steps on how to do so, please refer to the official Getting started - Amazon Security Lake documentation.
Credentials (aws_access_key_id
and aws_secret_access_key
) must be provided for a user that has access to the Security Lake S3 bucket and associated SQS queue (configured in the steps above).
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Events service
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
Change log
Release | Released on | Release type | Details | Recommendations |
---|---|---|---|---|
| Jun 1, 2023 | initial release | Initial release |
|