Integrate Wazuh with Amazon Security Lake as a source

[Selutario]

Description

Amazon Security Lake coordinates data storage and provisioning of necessary resources to facilitate log consumption by subscribers, who can operate within or outside of the user's account. For custom sources, Amazon Security Lake is responsible for provisioning the S3 bucket location, creating the Lake Formation table associated with that location, creating a role in the customer’s account that will be used to write the custom source data, setting up a Glue crawler to maintain partition metadata, and coordinating subscriber access to the source after it is written to Amazon Security Lake. Custom Sources are responsible for writing data to the source following some requirements.

Functional requirements

• Users will be able to send Wazuh alerts information to Amazon Security Lake.
• Users will be able to filter the information they want to send to Amazon Security Lake using the integration block already available filters.
• Users will be able to configure access to Amazon Security Lake considering that the Wazuh manager (the sender) does not necessarily live within AWS.

Non-functional requirements

• Good practices regarding partitioning, object size and rate, parquet settings and sorting should be followed. They are listed here.

Implementation restrictions

• This integration will work with the new integratord implementation.
• The custom source must be able to write data to Security Lake as a set of S3 objects underneath the prefix assigned to the source. For sources that contain multiple categories of data, each unique Open Cybersecurity Schema Framework (OCSF) event class should be delivered as a separate source.
• Each S3 object that's collected from the custom source should be formatted as an Apache Parquet file.
• The same OCSF event class should apply to each record within a Parquet-formatted object.

Plan

• Study the use case, access patterns, and documentation for Amazon Security Lake Source Integrations #16335
  • Review and analyze the use case, access patterns, and documentation for other Amazon Security Lake Source Integrations.
  • Identify any potential limitations or challenges that may arise during integration.
  • Document any lessons learned or best practices from other custom sources.
• Research and decide on the most appropriate service for the creation and delivery of parquet files.
  • Identify any specific requirements or limitations for the chosen service.
  • Consider any potential scalability or performance implications.
• Design implementation to fulfill task requirements for Wazuh integration as a source.
  • Specify the architecture and components required for integration.
  • Specify which and how Wazuh's alerts will be converted to OCSF schema.
  • Consider any potential security or privacy implications of integration.
• Develop and test design POC
  • Develop a proof of concept (POC) to test the design.
  • Evaluate the POC results and refine the test plan accordingly.
• Develop the designed implementation.
  • Follow development best practices and adhere to coding standards.
  • Continuously test and validate the implementation as it is developed.
• Add unit tests to the developed implementation.
  • Cover all functionality of the integration with comprehensive testing.
  • Ensure test coverage is thorough (as close to 100% as possible) and efficient.
  • Implement continuous integration via Jenkins.
• Manually test sources’ functionality by adding Wazuh as a custom source for Amazon Security Lake.
  • Verify that the integration is functioning as expected.
  • Confirm that data is being sent and stored in the Amazon Security Lake environment.
• Design integration tests for the implementation.
  • Cover end-to-end testing of the integration.
  • Consider edge cases and error scenarios to ensure the robustness of the integration.
• Write appropriate documentation.
  • Include clear instructions for setting up and configuring the integration.
  • Document any potential issues or limitations.
  • Provide guidance for troubleshooting and support.

[havidarou]

For Wazuh to do this, a pushing mechanism faster and more reliable than integratord should be needed.

[havidarou]

Closing this in favor of a different approach.

[kclinden]

Closing this in favor of a different approach.
what was the different approach that was chosen for this? I am trying to send wazuh alerts to security lake.

[Selutario]

@kclinden you can find more details here:

• Amazon Security lake integration as source wazuh-indexer#128