Configure the AWS Security Lake Plugin
Configure the Amazon Security Lake Plugin
- In Cloud Exchange, go to Settings > Plugins.
- Search for and select the Amazon Security Lake box to open the plugin creation dialog.
- Enter a Configuration Name, like Amazon Security Lake.
- Select a valid Mapping. (Default Mapping for all plugins are available. If you want to Create New Mapping, follow the CLS guide to Create New Mapping.)
Note
Here the Transform the raw logs toggle should be enabled as we cannot send data directly to AWS S3 Source Bucket because the lambda expects those files to be in a specific form (OCSF – Open Cybersecurity Schema Framework) in order to convert them into parquet files as per the requirement of Amazon Security Lake.
- Click Next.
- Enter these parameters:
- Authentication Method:
- Types of Authentication supported:
- Private Key File: Private Key File for decrypting the AWS Private CA Certificate for IAM Roles Anywhere authentication.
- Certificate Body: Certificate body for AWS Public/Private CA Certificate for IAM Roles Anywhere authentication.
- Password Phrase: Password Phrase for decrypting the CA Certificate for IAM Roles Anywhere authentication.
- Profile ARN: AWS Profile ARN for IAM Roles Anywhere authentication.
- Role Arn: AWS Role ARN for IAM Roles Anywhere authentication.
- Trust Anchor ARN: AWS Trust Anchor ARN for IAM Roles Anywhere authentication.
- AWS S3 Source Bucket Region: Region Name from where to get the AWS S3 Source Bucket. Make sure that the region name matches the region in the Profile ARN and Trust Anchor ARN.
- AWS S3 Source Bucket: AWS S3 Source Bucket Name in which the data object will be stored. Note: If a bucket with the specified name does not exist in the selected region then a new bucket will be created. (Note: The value of this bucket name config. parameter in Netskope CE should be the same as source bucket name mentioned in CFN stack parameter. Also the bucket name mentioned here will only contain the logs sent from Netskope CE not the parquet converted files.)
- Authentication Method:
- Click Save.
Note: (optional) Use the steps in the following section to configure the plugin with Secret Vault HashiCorp.
Configure the Amazon Security Lake Plugin using Secret Vault HashiCorp (optional)
Use this configuration only if you are using Secret Vault HashiCorp. The Secret Vault HashiCorp securely stores and manages access to secrets such as passwords and passphrases (Certificates are not included in this).
- Click on Settings > General > Secrets Manager.
- Enable the Secrets Manager toggle button.
- Select HashiCorp from the Secrets Manager dropdown.
- Enter the Vault URL and Namespace.
- Select Token for the Authentication Method and enter your token in the textbox.
- Click Save.
- After saving the Secrets Manager, go to Log Shipper > Plugins.
- Configure the Amazon Security Lake plugin.
- While configuring the plugin, for the parameter Password Phrase, a toggle button would be displayed.
- Enable the toggle button.
- Enter the path where the secret is stored.
- Enter the other required parameters and click Save.
Note: The Secret Vault HashiCorp securely stores and manages access to secrets such as password field type. If the user wants, the user can encrypt the disk/partition to protect the mongodb for other field types.
Configure a Log Shipper Business Rule for AWS Security Lake
- Go to Log Shipper > Business Rules.
- Click Create New Rule.
- Enter a Rule Name and select Filter(s). Enter a Folder Name, if any.
- Click Save.
Configure a Log Shipper SIEM Mapping for AWS Security Lake
- Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
- Select a Source Configuration, Destination Configuration, and Business Rule.
- Click Save.