AWS Security Lake

Description

Amazon Security Lake automatically centralizes all your security data with a few clicks.

This integration enables ExtraHop Detections as a custom security source for Security Lake. ExtraHop converts Detections into OCSF formatted security finding events, invokes a lambda function URL, which accepts a JSON POST from the ExtraHop sensors, converts that payload into Apache Parquet, before finally storing in S3, as a custom source for Security Lake.

Amazon Security Lake automatically centralizes security data from cloud, on-premises, and custom sources into a purpose-built data lake stored in your account. Security Lake makes it easier to analyze security data, so you can get a more complete understanding of your security across the entire organization and improve the protection of your workloads, applications, and data. Security Lake automatically gathers and manages all your security data across accounts and regions, and you can use your preferred analytics tools while retaining control and ownership of your security data.

Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open industry standard, making it easier to normalize and combine security data from AWS and a broad range of enterprise security data sources. Now, your analysts and engineers can get broad visibility to investigate and respond to security events and improve your security across the cloud and on-premises.

Architecture:

The following figure shows an example of ExtraHop Detection data in Security Lake S3 buckets, stored as the required parquet file format:


Figure 1. ExtraHop Detection data in Security Lake

The following figure shows an example of the monitoring dashboard to view client side metrics for the security findings being sent into Security Lake:


Figure 2. Security Lake responses from ExtraHop POST requests

Bundle Contents

  • (1) Trigger
    • Amazon Security Lake: Detections to OCSF
  • (1) Dashboard
    • Amazon Security Lake Monitoring

Requirements

  • You must have Reveal(x) Enterprise or 360, running firmware 9.1.2 or later
  • You must have an ExtraHop user account that has Unlimited privileges or System Admin privileges for the console and/or packet sensors
  • You must have Amazon Security Lake enabled

Configure AWS

  1. Security Lake must be enabled in your AWS account, follow this guide then return to these instructions if not already setup: Getting started - Amazon Security Lake
  2. Create a custom source in Security Lake for ExtraHop
    a. Go to Security Lake service from AWS console
    b. Click Custom sources
    c. Click Create custom source
    d. Data source name: ExtraHop
    e. Event class: Security Finding
    f. Enter the Account ID that is authorized to write data to your data lake
    g. Create and use a new service role, or select an existing role, if you have already configured a role for the region you’re configuring
    h. Click Create
  3. Deploy the ExtraHop Cloud Formation Template to your AWS account enabled with Security Lake
    a. https://s3.us-east-2.amazonaws.com/ct.s.extrahoplabs/CFT/SecurityLake.yml
    b. Go to CloudFormation service in AWS console
    c. Click Create stack, with new resources
    d. Copy & paste the S3 URL from Step 3a into the Amazon S3 URL template, click next
    e. Type your desired name for the Stack name
    f. Copy & paste the ARN from the Security Lake IAM role created by your Security Lake enablement in Step 1, this role Trusts a Security Lake Log Provider to access the Security Lake, e.g. arn:aws:iam::123123123:role/AmazonSecurityLake-Provider-ExtraHop-us-east-1
    g. Copy & paste the S3 bucket name that Security Lake created for your region, e.g. aws-security-data-lake-us-east-1-r7mx5y9mwrzzzzz
    h. Click next
    i. Click next
    j. Click to acknowledge the CFT will create IAM resources with custom names
    k. Click submit
    l. Wait for the stack event CREATE_COMPLETE
    m. View Outputs for the created stack
    n. Copy the FunctionUrl value, to be used for the later ExtraHop configuration steps
  4. Create the IAM User, Security Credentials, and user policy
    a. Go to Identity and Access Management in AWS console
    b. Select Users
    c. Add a User
    d. Enter a user name, we will use eh-lambda-auth, select Next
    e. Select Attach policies directly, create policy, select JSON
    f. Use a policy like the below example, replacing the resource with the lambda function URL resource arn created by the Cloud Formation Template deployment
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "lambda:InvokeFunctionUrl", "Resource": "<arn:aws:lambda:>" } ] }
    g. Enter a name for the policy, then select Create policy
    h. Select the newly created user in IAM in AWS management console under Access Management, Users
    i. Select Security Credentials, select Create access key, select Application running outside AWS, select next, enter a descriptive tag like extrahop-sensor-access-key, select create access key
    j. Securely note the access id and access key to use later when setting up the ExtraHop Open Data Streams
  5. Create the Resource-based policy statements so the IAM user creditnals may invoke the ExtraHop Lambda FunctionURL
    a. Go to the Lambda in AWS console
    b. Select the ExtraHop lambda function created by the Cloud Formation Template
    c. Select configuration, select add permissions on the resource-based policy statements section
    d. Select Function URL, AWS_IAM, enter a statement ID, enter the ARN for the User created in step 4 from the Configure AWS section

Configure ExtraHop Reveal(x)

Install the bundle

  1. Download the bundle on this page.
  2. Upload and apply the bundle.

Configure ODS targets

When installing this bundle on a Console, configure the open data stream (ODS) targets on each console connected packet sensor appliance that will be forwarding Detection data to Security Lake:

  1. Log into the Admin UI on the packet sensor appliance.
  2. Configure an HTTP target for an open data stream with the following parameters:
    a. In the Name field, type securityLake.
    b. In the Host field, copy & paste the FunctionUrl from Configure AWS Step 3.n
    c. In the Port field, type in 443
    d. From the Type drop-down list, select HTTPS.
    e. From the Authentication drop-down list, select Amazon Web Services
    f. Enter your Access key ID, Secret Key for the IAM user with permissions to invoke the lambda function URL
    g. Enter Service as lambda
    h. Enter region as the region you deployed security lake

The completed ODS target page should look similar to the following figure:

To test the ODS target, to ensure your sensor has communication with the Lambda function URL and proper authentication :

  1. Add additional HTTP header content-type: application/json
  2. Select POST as the method
  3. Paste the below text into the Options text box
{
  "path": "/",
  "payload": "{\"severity\":\"Medium\",\"activity_name\":\"Generate\",\"category_uid\":2,\"metadata\":{\"product\":{\"name\":\"Reveal(x)\",\"vendor_name\":\"ExtraHop\",\"lang\":\"en\",\"version\":\"9.1.2.1971\"},\"modified_time\":1678333899120,\"original_time\":\"1678333899120\",\"version\":\"1.0.0\"},\"category_name\":\"Findings\",\"end_time\":\"1678333899120\",\"finding\":{\"uid\":\"4294967321\",\"created_time\":1678333899379,\"src_url\":\"https://extrahop-bd.cloud.extrahop.com/extrahop/#/detections/detail/4294967321\",\"types\":\"external_ssh_new_device\",\"modified_time\":1678333899120,\"supporting_data\":\"{\\\"client_port\\\":43998,\\\"server_port\\\":2201}\",\"title\":\"New SSH Device\",\"first_seen_time\":1678333899120,\"desc\":\"[jump.i.rx.tours](#/metrics/devices/44522fe6bb834d83a3b0a142b7da750a.0e3332e223c10000/overview?from=1678333899&interval_type=DT&until=1678333899), which became active on your network less than 24 hours ago, established an SSH session with an external device.\"},\"message\":\"New SSH Device\",\"observables\":[{\"type_id\":1,\"name\":\"offender.39\",\"type\":\"Hostname\",\"value\":\"jump.i.rx.tours\"},{\"type_id\":2,\"name\":\"offender.39\",\"type\":\"IPAddress\",\"value\":\"10.1.88.201\"},{\"type_id\":3,\"name\":\"offender.39\",\"type\":\"MACAddress\",\"value\":\"0E:33:32:E2:23:C1\"},{\"type_id\":2,\"name\":\"victim.IPAddress\",\"type\":\"IPAddress\",\"value\":\"54.164.147.13\"}],\"attacks\":{\"tactics\":[{\"uid\":\"TA0001\",\"name\":\"Initial Access\",\"url\":\"https://attack.mitre.org/tactics/TA0001\"},{\"uid\":\"TA0008\",\"name\":\"Lateral Movement\",\"url\":\"https://attack.mitre.org/tactics/TA0008\"}],\"technique\":[{\"uid\":\"T1200\",\"name\":\"Hardware Additions\",\"url\":\"https://attack.mitre.org/techniques/T1200\"},{\"uid\":\"T1021\",\"name\":\"Remote Services\",\"url\":\"https://attack.mitre.org/techniques/T1021\"}],\"version\":\"v12\"},\"activity_id\":1,\"class_uid\":2001,\"state\":\"Unknown\",\"state_id\":0,\"time\":1678333899379,\"severity_id\":3,\"class_name\":\"Security Finding\",\"type_uid\":200101}"
}
  1. Click the Test button
  2. You should receive a 200 OK message, if you do not, your authentication or Security Lake is not setup correctly
  3. Click the Save button if successful, otherwise troubleshoot the permissions and setup issues

Configure the trigger

  1. In the Web UI on the Reveal(x) 360 Console, Command or Discover appliance where you installed the bundle, click the System Settings icon , and then click Triggers.
  2. In the list of triggers, click Amazon Security Lake: Detections to OCSF
  3. In the right pane, click Edit Trigger Script
  4. In the left pane in the Options section, select the Enable trigger checkbox
  5. Ensure CONSOLE_HOSTNAME variable value matches your ExtraHop Console URL for 360, or Enterprise. (If deployed on a single sensor, have the variable match your sensor URL)
  6. Click Save, then click Done.
  7. ExtraHop Detections will now be converted into security findings and appear in SecurityLake in real-time

OCSF Schema Mapping

The below table represents how the Detection properties are mapped from ExtraHop format into the OCSF Security Finding Class. Read more here: Open Cybersecurity Schema Framework

OCSF Key OCSF Value Type ExtraHop Trigger API Value
attacks Array of Objects Detection.mitreCategories
finding.uid String Detection.id
finding.title String Detection.title
finding.created_time Integer eventTime
finding.desc String Detection.description
finding.first_seen_time Integer Detection.startTime
finding.modified_time Integer Detection.updateTime
finding.types List of Strings Detection.type
finding.src_url String Console Host Name + Detection.id
finding.supporting_data String Detection.properties
state String Detection.status
state_id Integer New: 1, In Progress: 2, Suppressed: 3, Resolved: 4, Unknown: 0
activity_id Integer New: 1, Ongoing: 2
category_uid Integer 2
category_name String “Findings”
class_uid Integer 2001
class_name String “Security Finding”
type_uid Integer New: 200101, Ongoing: 200102
time String Date.now()
message String Detection.title
metadata.original_time String Detection.startTime.toString()
metadata.product.lang String “en”
metadata.product.name String “Reveal(x)”
metadata.product.version String System.version
metadata.product.vendor_name String “ExtraHop”
metadata.version String “1.0.0”
metadata.modified_time Integer Detection.updateTime
severity String Detection.riskScore
severity_id Integer Detection.riskScore
activity_name String “Generate”
end_time String Detection.endTime
observables List of Objects Detection.participants

Download Latest Bundle:

March-23-2023: Initial Release
Amazon Security Lake_ Detections to OCSF.json (113.4 KB)

2 Likes