Open in app

Sign in

Write

Sign in

Amazon Security Lake S3 Event Data Logs & Query Federated Search

Query
Query
2 min readMay 15, 2024

--

Amazon Security Lake — S3 Data Events Logs

Amazon Security Lake centralizes security data from cloud, on-premises, and custom sources into a data lake that’s stored in your AWS account. By integrating with Organizations, you can create a data lake that collects logs and events across your accounts. S3 is AWS’s cloud storage microservice that allows companies to store any size of data in a globally accessible fashion in either a public or private way.

Query integrations with Amazon Security Lake, regarding S3 Data Events Logs, to surface details about:

  • Resource ID (mapped to finding,uid, finding_info.uid, and resources.uid)
  • Username (mapped to user.name, user.uid, etc)
  • Hostname (mapped to src_endpoint.domain)
  • IP Address (mapped to src_endpoint.ip)

This allows analysts to quickly search for the full and partial GUIDs of protected resources, suspected malicious usernames & hostnames, or resource & malicious IP addresses.

The following Entities, Events and Objects are supported by Query for those data points. For more information about this terminology, refer to the Normalization and the Query Data Model (QDM) section of the docs or check out our QDM Schema website.

Entities:

  • Resource ID (mapped to finding,uid, finding_info.uid, and resources.uid)
  • Username (mapped to user.name, user.uid, etc)
  • Hostname (mapped to src_endpoint.domain)
  • IP Address (mapped to src_endpoint.ip)

Events: For example, the analyst could obtain the following context:

  • Searching for a suspected Resource ID will show all API Activity to that resource ID that may indicate unauthorized access.
  • Searching for a suspected malicious IP address will show you if that IP address has accessed any of the public S3 resources for that AWS organization.

To integrate Amazon Security Lake, S3 Event Data Logs see integration documentation here.The integration will normalize data pulled from AWS WAFv2 into Query’s OCSF based QDM ( Query Data Model).

Originally published at https://www.query.ai on May 15, 2024.

--

--

Query
Query

Written by Query

1 Follower

Query is a federated search platform for security data providing expanded data visibility without centralization.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams