Amazon Security Lake – S3 Data Events Logs
Amazon Security Lake centralizes security data from cloud, on-premises, and custom sources into a data lake that’s stored in your AWS account. By integrating with Organizations, you can create a data lake that collects logs and events across your accounts. S3 is AWS’s cloud storage microservice that allows companies to store any size of data in a globally accessible fashion in either a public or private way.
Query integrations with Amazon Security Lake, regarding S3 Data Events Logs, to surface details about:
- Resource ID (mapped to finding,uid, finding_info.uid, and resources.uid)
- Username (mapped to user.name, user.uid, etc)
- Hostname (mapped to src_endpoint.domain)
- IP Address (mapped to src_endpoint.ip)
This allows analysts to quickly search for the full and partial GUIDs of protected resources, suspected malicious usernames & hostnames, or resource & malicious IP addresses.
The following Entities, Events and Objects are supported by Query for those data points. For more information about this terminology, refer to the Normalization and the Query Data Model (QDM) section of the docs or check out our QDM Schema website.
Entities:
- Resource ID (mapped to finding,uid, finding_info.uid, and resources.uid)
- Username (mapped to user.name, user.uid, etc)
- Hostname (mapped to src_endpoint.domain)
- IP Address (mapped to src_endpoint.ip)
Events:
- API Activity
For example, the analyst could obtain the following context:
- Searching for a suspected Resource ID will show all API Activity to that resource ID that may indicate unauthorized access.
- Searching for a suspected malicious IP address will show you if that IP address has accessed any of the public S3 resources for that AWS organization.
To integrate Amazon Security Lake, S3 Event Data Logs see integration documentation here.The integration will normalize data pulled from AWS WAFv2 into Query’s OCSF based QDM (Query Data Model).