- Cloud Collectors Overview
- Administration
- Administrative Access
- Shareable Service Accounts
- Add Accounts for AWS Cloud Collectors
- Add Accounts for Cisco Duo Cloud Collector
- Add Accounts for Google Cloud Collectors
- Add Accounts for Microsoft Cloud Collectors
- Add Accounts for Okta Cloud Collectors
- Add Accounts for Salesforce Cloud Collectors
- Add Accounts for Splunk Cloud Collectors
- Add Accounts for Trend Micro Cloud Collectors
- Add Accounts for Wiz
- Define a Unique Site Name
- Sign Up for the Early Access Program
- Onboard Cloud Collectors
- Abnormal Security Cloud Collector
- Anomali Cloud Collector
- AWS CloudTrail Cloud Collectors
- AWS CloudWatch Cloud Collector
- AWS CloudWatch Alarms Cloud Collector
- AWS GuardDuty Cloud Collector
- AWS S3 Cloud Collector
- AWS Security Lake Cloud Collector
- AWS SQS Cloud Collector
- Azure Activity Logs Cloud Collector
- Azure Log Analytics Cloud Collector
- Azure Event Hub Cloud Collector
- Azure Storage Analytics Cloud Collector
- Box Cloud Collector
- Cato Networks Cloud Collector
- Cisco Duo Cloud Collector
- Cisco Meraki Cloud Collector
- Cisco Secure Endpoint Cloud Collector
- Cisco Umbrella Cloud Collector
- Cloudflare Cloud Collector
- Cribl Cloud Collector
- CrowdStrike Cloud Collectors
- GCP Pub/Sub Cloud Collector
- Google Workspace Cloud Collector
- LastPass Cloud Collector
- Microsoft Defender XDR (via Azure Event Hub) Cloud Collector
- Microsoft Entra ID Context Cloud Collector
- Microsoft Entra ID Logs Cloud Collector
- Microsoft 365 Exchange Admin Reports Cloud Collector
- Supported Sources from Microsoft 365 Exchange Admin Reports
- Migrate to the Microsoft 365 Exchange Admin Reports Cloud Collector
- Prerequisites to Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Configure the Microsoft 365 Exchange Admin Reports Cloud Collector
- Troubleshooting the Microsoft 365 Exchange Admin Reports Cloud Collector
- Microsoft 365 Management Activity Cloud Collector
- Microsoft Security Alerts Cloud Collector
- Microsoft Sentinel (via Event Hub) Cloud Collector
- Mimecast Cloud Collector
- Netskope Alerts Cloud Collector
- Netskope Events Cloud Collector
- Okta Cloud Collector
- Okta Context Cloud Collector
- Palo Alto Networks Cortex Data Lake Cloud Collector
- Proofpoint On-Demand Cloud Collector
- Proofpoint Targeted Attack Protection Cloud Collector
- Recorded Future Cloud Collector
- Recorded Future Context Cloud Collector
- Rest API Cloud Collector
- Salesforce Cloud Collector
- SentinelOne Alerts Cloud Collector
- SentinelOne Cloud Funnel Cloud Collector
- SentinelOne Threats Cloud Collector
- SentinelOne Cloud Collector
- ServiceNow Cloud Collector
- Sophos Central Cloud Collector
- Splunk Cloud Collector
- STIX/TAXII Cloud Collector
- Symantec Endpoint Security Cloud Collector
- Tenable Cloud Collector
- Trend Vision One Cloud Collector
- Trellix Endpoint Security Cloud Collector
- Vectra Cloud Collector
- Zoom Cloud Collector
- Zscaler ZIA Cloud Collector
- Webhook Cloud Collectors
- Wiz Issues Cloud Collector
- Wiz API Cloud Collector
- Troubleshooting Cloud Collectors
Prerequisites to Configure the AWS Security Lake Cloud Collector
Before you configure the AWS Security Lake Cloud Collector, complete the following prerequisites:
Enable Security Lake. For more information, see Getting started with Amazon Security Lake in the Amazon AWS documentation.
Note the S3 bucket details after enabling Security Lake. The bucket name appears in the following format: aws-security-data-lake-<region>-<*****>.
Configure S3/SQS Integration that receives a notification when new objects are added to the S3 Bucket.
Create a user with access to AWS created s3 bucket for Security Lake.
Provide the user with S3 object read permission.
Provide the user with SQS/SNS message read and delete access.
Update the notification configuration for s3 bucket to publish notification for each .parquet file that is uploaded in the S3 bucket.
Note
This guide assumes an existence of S3 bucket, and an SQS queue. Before you begin, identify the names for your S3 Bucket and the SQS queue ARNs. If you do not know the names for your S3 Bucket and the SQS queue ARNs, you can find them on the AWS Web Console or use the CLI. Configure the S3 bucket and the SQS queue such that whenever a new object is put into the S3 bucket, the SQS queue gets a notification.
Ensure that the SQS queue and the raw log data file in the S3 bucket contain at least one event, so the cloud collector can run a test connection during configuration and start collecting events after successful test.
Configure S3/SQS Integration
Use the following steps to configure the SQS queue that receives a notification when new objects are added to the S3 Bucket.
In the AWS Web Console, navigate to the S3 bucket where the data is located.
Under Properties, enable event notification for the SQS queue in the S3 bucket on which you want to receive logs.
For more information, see Enable Event Notifications in the AWS documentation.
Choose ObjectCreate (All) events to be notified.
Refer to the following screenshot to add suffix as .gz.parquet in the suffix option.
Allow the S3 Bucket to send events to the SQS Queue.
Replace the access policy attached to the queue with the following policy (in the SQS console, you select the queue, and in the Permissions tab, click Edit Policy Document (Advanced).
{ "Version":"2012-10-17", "Id":"example-ID", "Statement":[ { "Sid":"example-statement-ID", "Effect":"Allow", "Principal":{ "AWS":"*" }, "Action":[ "SQS:SendMessage" ], "Resource":"SQS-queue-ARN", "Condition":{ "StringEquals": { "aws:SourceAccount: "*********" }, "ArnLike":{ "aws:SourceArn":"arn:aws:s3:*:*:bucket-name" } } } ] }
Obtain the SQS Properties
To obtain the SQS properties (SQS URL, SQS Region, and the SQS Message Origin), log in to your AWS account and refer to the following steps:
SQS URL – Go to the SQS service and check the SQS Queue used for the S3 events notifications. In the Details tab copy the URL value.
SQS Region – In the SQS Service page in the SQS Detail tab, you view the SQS region. It is the string between the sqs and amazonaws strings in the URL. In the example above, the region is: us-east-1.