Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amazon security lake source integration #204

Open
2 of 6 tasks
havidarou opened this issue Apr 12, 2024 · 0 comments
Open
2 of 6 tasks

Amazon security lake source integration #204

havidarou opened this issue Apr 12, 2024 · 0 comments
Labels
level/objective type/enhancement Enhancement issue

Comments

@havidarou
Copy link
Member

havidarou commented Apr 12, 2024
edited by AlexRuiz7

Description

We want to move the 3rd party integrations materials to the indexer repository, including the courtesy dashboards generated for them. This will allow us to manage these integrations from the source of the events.

We think wazuh-indexer is the appropriate place for these integrations, as the event source will be wazuh-indexer in most cases. Also, for 5.0 we might remove the support for the integrations which use the manager as the event source.

We want to create a new integration for Amazon Security Lake which should be released in 4.9.0. This will be a source type integration, following the AWS notation for the integrations, as we already did an integration of the subscriber type in wazuh/wazuh#16362.

Functional requirements

  • As a user, I can integrate Wazuh with AWS Security Lake as a source.
  • As a user, I can explore Wazuh events from the AWS Security Lake recommended tools (security lake queries, etc.).
  • As a user, I can search the AWS marketplace for source integrations and find Wazuh.
  • As a user, I have access to a guide on how to integrate Wazuh with Security Lake as a source.

Non-functional requirements

  • Our integration complies with all the AWS requirements as stated in their documentation.
  • Our integrations will map only essential fields from Wazuh to OCFS.

Implementation restrictions

Plan

  • Update and move current integrations to wazuh-indexer
  • Study existing third-party integrations for Amazon Security Lake.
  • Create a new study focused on source-type integrations only.
    • Study requirements for Wazuh integration as a source.
    • Study good practices and optimization tips.
  • Represent security events in OCSF.
  • Decode OCSF events using Apache Parquet format.
  • Implement integration.
  • Test integration.
  • Technical documentation and user manual.
  • E2E UX test. @wazuh/qa

Issues

Approved by

DRI name: @AlexRuiz7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
level/objective type/enhancement Enhancement issue
Projects
Release 4.9.0
Status: On hold
Roadmap
Status: In progress
Milestone
No milestone
Development

No branches or pull requests
1 participant
@havidarou