Closed AlexRuiz7 closed 2 months ago
I tried to create a Custom Source using the AWS CLI.
Below is the AWS CLI command used. Note that the values for roleArn
, externalId
and principal
configurations need to be replaced accordingly, as per Prerequisites to adding a custom source.
aws securitylake create-custom-log-source \
--source-name Wazuh \
--event-classes '["DETECTION_FINDING"]' \
--configuration crawlerConfiguration={"roleArn=arn:aws:iam::XXX:role/service-role/RoleName"},providerIdentity={"externalId=ExternalId,principal=principal"} \
--region=[“us-west-1”]
According to the AWS CLI docs, the Detection Finding class is not supported by Amazon Security Lake.
Description
Related issue: #128
To integrate Wazuh with Amazon Security Lake, we have chosen the OCSF's Detection Finding class to map Wazuh's security events. This class in included in OCSF v1.1.0. Although ASL supports this version of OCSF, the class is not included in the form to create the Custom Source. This has been reported to Amazon, but by the time of creation of this issue, it's still not clear whether the form is updated to OCSF v1.1.0, or even if Amazon Security Lake is.
We need to investigate if it is possible to create a Custom Source for ASL using the AWS CLI.