Amazon security lake source integration

[havidarou]

Description

We want to move the 3rd party integrations materials to the indexer repository, including the courtesy dashboards generated for them. This will allow us to manage these integrations from the source of the events.

We think wazuh-indexer is the appropriate place for these integrations, as the event source will be wazuh-indexer in most cases. Also, for 5.0 we might remove the support for the integrations which use the manager as the event source.

We want to create a new integration for Amazon Security Lake which should be released in 4.9.0. This will be a source type integration, following the AWS notation for the integrations, as we already did an integration of the subscriber type in https://github.com/wazuh/wazuh/issues/16362.

Functional requirements

• As a user, I can integrate Wazuh with AWS Security Lake as a source.
• As a user, I can explore Wazuh events from the AWS Security Lake recommended tools (security lake queries, etc.).
• As a user, I can search the AWS marketplace for source integrations and find Wazuh.
• As a user, I have access to a guide on how to integrate Wazuh with Security Lake as a source.

Non-functional requirements

• Our integration complies with all the AWS requirements as stated in their documentation.
• Our integrations will map only essential fields from Wazuh to OCFS.

Implementation restrictions

• We want to implement this integration using Logstash.
• We can use AWS lambda to transform output to parquet, or develop a parquet codec.
• For technical details that may be of use, please refer to this other issue: https://github.com/wazuh/wazuh/issues/16362.

Plan

• Update and move current integrations to wazuh-indexer
• Study existing third-party integrations for Amazon Security Lake.
  • Existing study https://github.com/wazuh/wazuh/issues/16335
• Create a new study focused on source-type integrations only.
  • Study requirements for Wazuh integration as a source.
  • Study good practices and optimization tips.
• Represent security events in OCSF.
• Decode OCSF events using Apache Parquet format.
• Implement integration.
• Test integration.
• Technical documentation and user manual.
• E2E UX test. @wazuh/qa

Issues

• [x] https://github.com/wazuh/internal-devel-requests/issues/697
• [x] https://github.com/wazuh/wazuh-indexer/issues/128
• [x] https://github.com/wazuh/internal-devel-requests/issues/699
• [x] https://github.com/wazuh/internal-devel-requests/issues/692
• [ ] https://github.com/wazuh/wazuh-documentation/issues/7303
• [x] #223

Approved by

DRI name: @AlexRuiz7