Amazon Security Lake integration - Create _Custom Source_

[AlexRuiz7]

Description

Related issue: #128

To integrate Wazuh with Amazon Security Lake, we have chosen the OCSF's Detection Finding class to map Wazuh's security events. This class in included in OCSF v1.1.0. Although ASL supports this version of OCSF, the class is not included in the form to create the Custom Source. This has been reported to Amazon, but by the time of creation of this issue, it's still not clear whether the form is updated to OCSF v1.1.0, or even if Amazon Security Lake is.

We need to investigate if it is possible to create a Custom Source for ASL using the AWS CLI.

[AlexRuiz7]

Installed AWS CLI as per the instructions in:

• https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
• https://docs.aws.amazon.com/cli/latest/userguide/getting-started-quickstart.html
• https://docs.aws.amazon.com/cli/latest/userguide/cli-authentication-user.html

[AlexRuiz7]

I tried to create a Custom Source using the AWS CLI.

• https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html#adding-custom-sources
• https://awscli.amazonaws.com/v2/documentation/api/latest/reference/securitylake/create-custom-log-source.html

Below is the AWS CLI command used. Note that the values for roleArn, externalId and principal configurations need to be replaced accordingly, as per Prerequisites to adding a custom source.

aws securitylake create-custom-log-source \
    --source-name Wazuh \
    --event-classes '["DETECTION_FINDING"]' \
    --configuration crawlerConfiguration={"roleArn=arn:aws:iam::XXX:role/service-role/RoleName"},providerIdentity={"externalId=ExternalId,principal=principal"}  \
    --region=[“us-west-1”]

[AlexRuiz7]

According to the AWS CLI docs, the Detection Finding class is not supported by Amazon Security Lake.