Description
Amazon Security Lake automatically centralizes all your security data with a few clicks.
This integration enables ExtraHop Detections as a custom security source for Security Lake. ExtraHop converts Detections into OCSF formatted security finding events, invokes a lambda function URL, which accepts a JSON POST from the ExtraHop sensors, converts that payload into Apache Parquet, before finally storing in S3, as a custom source for Security Lake.
Amazon Security Lake automatically centralizes security data from cloud, on-premises, and custom sources into a purpose-built data lake stored in your account. Security Lake makes it easier to analyze security data, so you can get a more complete understanding of your security across the entire organization and improve the protection of your workloads, applications, and data. Security Lake automatically gathers and manages all your security data across accounts and regions, and you can use your preferred analytics tools while retaining control and ownership of your security data.
Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open industry standard, making it easier to normalize and combine security data from AWS and a broad range of enterprise security data sources. Now, your analysts and engineers can get broad visibility to investigate and respond to security events and improve your security across the cloud and on-premises.
Architecture:
The following figure shows an example of ExtraHop Detection data in Security Lake S3 buckets, stored as the required parquet file format:
Figure 1. ExtraHop Detection data in Security Lake
The following figure shows an example of the monitoring dashboard to view client side metrics for the security findings being sent into Security Lake:
Figure 2. Security Lake responses from ExtraHop POST requests
Bundle Contents
- (1) Trigger
- Amazon Security Lake: Detections to OCSF
- (1) Dashboard
- Amazon Security Lake Monitoring
Requirements
- You must have Reveal(x) Enterprise or 360, running firmware 9.1.2 or later
- You must have an ExtraHop user account that has Unlimited privileges or System Admin privileges for the console and/or packet sensors
- You must have Amazon Security Lake enabled
Configure AWS
- Security Lake must be enabled in your AWS account, follow this guide then return to these instructions if not already setup: Getting started - Amazon Security Lake
- Create a custom source in Security Lake for ExtraHop
a. Go to Security Lake service from AWS console
b. Click Custom sources
c. Click Create custom source
d. Data source name: ExtraHop
e. Event class: Security Finding
f. Enter the Account ID that is authorized to write data to your data lake
g. Create and use a new service role, or select an existing role, if you have already configured a role for the region you’re configuring
h. Click Create - Deploy the ExtraHop Cloud Formation Template to your AWS account enabled with Security Lake
a. https://s3.us-east-2.amazonaws.com/ct.s.extrahoplabs/CFT/SecurityLake.yml
b. Go to CloudFormation service in AWS console
c. Click Create stack, with new resources
d. Copy & paste the S3 URL from Step 3a into the Amazon S3 URL template, click next
e. Type your desired name for the Stack name
f. Copy & paste the ARN from the Security Lake IAM role created by your Security Lake enablement in Step 1, this role Trusts a Security Lake Log Provider to access the Security Lake, e.g.arn:aws:iam::123123123:role/AmazonSecurityLake-Provider-ExtraHop-us-east-1
g. Copy & paste the S3 bucket name that Security Lake created for your region, e.g.aws-security-data-lake-us-east-1-r7mx5y9mwrzzzzz
h. Click next
i. Click next
j. Click to acknowledge the CFT will create IAM resources with custom names
k. Click submit
l. Wait for the stack event CREATE_COMPLETE
m. View Outputs for the created stack
n. Copy theFunctionUrl
value, to be used for the later ExtraHop configuration steps - Create the IAM User, Security Credentials, and user policy
a. Go to Identity and Access Management in AWS console
b. Select Users
c. Add a User
d. Enter a user name, we will useeh-lambda-auth
, select Next
e. Select Attach policies directly, create policy, select JSON
f. Use a policy like the below example, replacing the resource with the lambda function URL resource arn created by the Cloud Formation Template deployment
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "lambda:InvokeFunctionUrl", "Resource": "<arn:aws:lambda:>" } ] }
g. Enter a name for the policy, then select Create policy
h. Select the newly created user in IAM in AWS management console under Access Management, Users
i. Select Security Credentials, select Create access key, select Application running outside AWS, select next, enter a descriptive tag like extrahop-sensor-access-key, select create access key
j. Securely note the access id and access key to use later when setting up the ExtraHop Open Data Streams - Create the Resource-based policy statements so the IAM user creditnals may invoke the ExtraHop Lambda FunctionURL
a. Go to the Lambda in AWS console
b. Select the ExtraHop lambda function created by the Cloud Formation Template
c. Select configuration, select add permissions on the resource-based policy statements section
d. Select Function URL, AWS_IAM, enter a statement ID, enter the ARN for the User created in step 4 from the Configure AWS section
Configure ExtraHop Reveal(x)
Install the bundle
- Download the bundle on this page.
- Upload and apply the bundle.
Configure ODS targets
When installing this bundle on a Console, configure the open data stream (ODS) targets on each console connected packet sensor appliance that will be forwarding Detection data to Security Lake:
- Log into the Admin UI on the packet sensor appliance.
-
Configure an HTTP target for an open data stream with the following parameters:
a. In the Name field, type securityLake.
b. In the Host field, copy & paste the FunctionUrl from Configure AWS Step 3.n
c. In the Port field, type in 443
d. From the Type drop-down list, select HTTPS.
e. From the Authentication drop-down list, select Amazon Web Services
f. Enter your Access key ID, Secret Key for the IAM user with permissions to invoke the lambda function URL
g. Enter Service as lambda
h. Enter region as the region you deployed security lake
The completed ODS target page should look similar to the following figure:
To test the ODS target, to ensure your sensor has communication with the Lambda function URL and proper authentication :
- Add additional HTTP header
content-type: application/json
- Select POST as the method
- Paste the below text into the Options text box
{
"path": "/",
"payload": "{\"severity\":\"Medium\",\"activity_name\":\"Generate\",\"category_uid\":2,\"metadata\":{\"product\":{\"name\":\"Reveal(x)\",\"vendor_name\":\"ExtraHop\",\"lang\":\"en\",\"version\":\"9.1.2.1971\"},\"modified_time\":1678333899120,\"original_time\":\"1678333899120\",\"version\":\"1.0.0\"},\"category_name\":\"Findings\",\"end_time\":\"1678333899120\",\"finding\":{\"uid\":\"4294967321\",\"created_time\":1678333899379,\"src_url\":\"https://extrahop-bd.cloud.extrahop.com/extrahop/#/detections/detail/4294967321\",\"types\":\"external_ssh_new_device\",\"modified_time\":1678333899120,\"supporting_data\":\"{\\\"client_port\\\":43998,\\\"server_port\\\":2201}\",\"title\":\"New SSH Device\",\"first_seen_time\":1678333899120,\"desc\":\"[jump.i.rx.tours](#/metrics/devices/44522fe6bb834d83a3b0a142b7da750a.0e3332e223c10000/overview?from=1678333899&interval_type=DT&until=1678333899), which became active on your network less than 24 hours ago, established an SSH session with an external device.\"},\"message\":\"New SSH Device\",\"observables\":[{\"type_id\":1,\"name\":\"offender.39\",\"type\":\"Hostname\",\"value\":\"jump.i.rx.tours\"},{\"type_id\":2,\"name\":\"offender.39\",\"type\":\"IPAddress\",\"value\":\"10.1.88.201\"},{\"type_id\":3,\"name\":\"offender.39\",\"type\":\"MACAddress\",\"value\":\"0E:33:32:E2:23:C1\"},{\"type_id\":2,\"name\":\"victim.IPAddress\",\"type\":\"IPAddress\",\"value\":\"54.164.147.13\"}],\"attacks\":{\"tactics\":[{\"uid\":\"TA0001\",\"name\":\"Initial Access\",\"url\":\"https://attack.mitre.org/tactics/TA0001\"},{\"uid\":\"TA0008\",\"name\":\"Lateral Movement\",\"url\":\"https://attack.mitre.org/tactics/TA0008\"}],\"technique\":[{\"uid\":\"T1200\",\"name\":\"Hardware Additions\",\"url\":\"https://attack.mitre.org/techniques/T1200\"},{\"uid\":\"T1021\",\"name\":\"Remote Services\",\"url\":\"https://attack.mitre.org/techniques/T1021\"}],\"version\":\"v12\"},\"activity_id\":1,\"class_uid\":2001,\"state\":\"Unknown\",\"state_id\":0,\"time\":1678333899379,\"severity_id\":3,\"class_name\":\"Security Finding\",\"type_uid\":200101}"
}
- Click the Test button
- You should receive a 200 OK message, if you do not, your authentication or Security Lake is not setup correctly
- Click the Save button if successful, otherwise troubleshoot the permissions and setup issues
Configure the trigger
- In the Web UI on the Reveal(x) 360 Console, Command or Discover appliance where you installed the bundle, click the System Settings icon
, and then click Triggers.
- In the list of triggers, click Amazon Security Lake: Detections to OCSF
- In the right pane, click Edit Trigger Script
- In the left pane in the Options section, select the Enable trigger checkbox
- Ensure CONSOLE_HOSTNAME variable value matches your ExtraHop Console URL for 360, or Enterprise. (If deployed on a single sensor, have the variable match your sensor URL)
- Click Save, then click Done.
- ExtraHop Detections will now be converted into security findings and appear in SecurityLake in real-time
OCSF Schema Mapping
The below table represents how the Detection properties are mapped from ExtraHop format into the OCSF Security Finding Class. Read more here: Open Cybersecurity Schema Framework
OCSF Key | OCSF Value Type | ExtraHop Trigger API Value |
---|---|---|
attacks | Array of Objects | Detection.mitreCategories |
finding.uid | String | Detection.id |
finding.title | String | Detection.title |
finding.created_time | Integer | eventTime |
finding.desc | String | Detection.description |
finding.first_seen_time | Integer | Detection.startTime |
finding.modified_time | Integer | Detection.updateTime |
finding.types | List of Strings | Detection.type |
finding.src_url | String | Console Host Name + Detection.id |
finding.supporting_data | String | Detection.properties |
state | String | Detection.status |
state_id | Integer | New: 1, In Progress: 2, Suppressed: 3, Resolved: 4, Unknown: 0 |
activity_id | Integer | New: 1, Ongoing: 2 |
category_uid | Integer | 2 |
category_name | String | “Findings” |
class_uid | Integer | 2001 |
class_name | String | “Security Finding” |
type_uid | Integer | New: 200101, Ongoing: 200102 |
time | String | Date.now() |
message | String | Detection.title |
metadata.original_time | String | Detection.startTime.toString() |
metadata.product.lang | String | “en” |
metadata.product.name | String | “Reveal(x)” |
metadata.product.version | String | System.version |
metadata.product.vendor_name | String | “ExtraHop” |
metadata.version | String | “1.0.0” |
metadata.modified_time | Integer | Detection.updateTime |
severity | String | Detection.riskScore |
severity_id | Integer | Detection.riskScore |
activity_name | String | “Generate” |
end_time | String | Detection.endTime |
observables | List of Objects | Detection.participants |
Download Latest Bundle:
March-23-2023: Initial Release
Amazon Security Lake_ Detections to OCSF.json (113.4 KB)