Preview: Amazon Security Lake – A Purpose-Built Customer-Owned Data Lake Service

{"value":"To identify potential security threats and vulnerabilities, customers should enable logging across their various resources and centralize these logs for easy access and use within analytics tools. Some of these data sources include logs from on-premises infrastructure, firewalls, and endpoint security solutions, and when utilizing the cloud, services such as [Amazon Route 53](https://aws.amazon.com/route53), [AWS CloudTrail](https://aws.amazon.com/cloudtrail), and [Amazon Virtual Private Cloud](https://aws.amazon.com/vpc) ([Amazon VPC](https://aws.amazon.com/cn/vpc/?trk=cndc-detail)).\n\nThe [Amazon Simple Storage Service](https://aws.amazon.com/s3) ([Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail)) and [AWS Lake Formation](https://aws.amazon.com/lakeformation) simplify the creation and management of a [data lake on AWS](https://aws.amazon.com/big-data/datalakes-and-analytics/what-is-a-data-lake/). But, some customers’ security teams still struggle to define and implement security domain–specific aspects, such as data normalization, which requires them to analyze each log source’s structure and fields, define schemas and mappings, and pull in data enrichment such as threat intelligence.\n\nToday we are announcing the preview release of **[Amazon Security Lake](https://aws.amazon.com/security-lake/)**, a purpose-built service that automatically centralizes an organization’s security data from cloud and on-premises sources into a purpose-built data lake stored in your account. [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail) automates the central management of security data, normalizing from integrated AWS services and third-party services and managing the lifecycle of data with customizable retention and also automates storage tiering.\n\n\n\n\nHere are the key features of [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail):\n\n\n- **Variety of supported log and event sources** – During the preview, [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail) automatically collects logs for [AWS CloudTrail](https://aws.amazon.com/cn/cloudtrail/?trk=cndc-detail), [Amazon VPC](https://aws.amazon.com/cn/vpc/?trk=cndc-detail), [Amazon Route 53](https://aws.amazon.com/cn/route53/?trk=cndc-detail), [Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail), and [AWS Lambda](https://aws.amazon.com/lambda), as well as security findings via [AWS Security](https://aws.amazon.com/security-hub/) Hub for [AWS Config](https://aws.amazon.com/config), [AWS Firewall Manager](https://aws.amazon.com/firewall-manager/), [Amazon GuardDuty](https://aws.amazon.com/guardduty/), [AWS Health Dashboard](https://health.aws.amazon.com/), [AWS IAM Access Analyzer](https://aws.amazon.com/iam/features/analyze-access/), [Amazon Inspector](https://aws.amazon.com/inspector/), [Amazon Macie](https://aws.amazon.com/macie/), and [AWS Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html). Additionally, over 50 sources of third-party security findings can be sent to [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail). Security Partners are also directly sending data in a standard schema called the [Open Cybersecurity Schema Framework](https://github.com/ocsf) (OCSF) format to [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail), such as Cisco Security, CrowdStrike, Palo Alto Networks, and more.\n\n\n- **Data transformation and normalization** – Security Lake automatically partitions and converts incoming log data to a storage and query-efficient [Apache Parquet](https://parquet.apache.org/) and OCSF format, making the data broadly and immediately usable for security analytics without the need for post-processing. Security Lake supports integrations with analytics partners such as IBM, Splunk, Sumo Logic, and more to address a variety of security use cases such as threat detection, investigation, and incident response.\n\n\n- **Customizable data access levels** – You can configure the level of subscribers consuming data stored in the Security Lake, such as specific data sources for data access to all new objects or directly querying data stored. You can also specify a rollup Region that the Security Lake is available in and multiple AWS accounts across your [AWS Organizations](https://aws.amazon.com/organizations). This can help you comply with data residency compliance requirements.\n\nBy reducing the operational overhead of security data management, you can make it easier to gather more security signals from across your organization and analyze that data to improve the protection of your data, applications, and workloads.\n\n### ++Configure Your Security Lake for Collection Data++\nTo get started with [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail), choose Get started in the AWS console. You can enable log and event sources for all Regions and all accounts.\n\n\n\n\nYou can select log and event sources such as CloudTrail logs, VPC flow logs, and Route53 resolver logs into your data lake. Select Regions will contribute their data to your data lake with the [Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail)-managed encryption that [Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail) will create and manage all encryption keys, as well as the specific AWS accounts in your organizations.\n\n\n\nNext, you can select rollup and contributing Regions. All aggregated data from contributing Regions reside in the rollup Region. You can create multiple rollup Regions, which can help you comply with data residency compliance requirements. Optionally, you can define the [Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail) storage classes and the retention period you want the data to transition from the standard [Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail) storage classes used in Security Lake.\n\n\n\nAfter initial configuration, choose **Sources** in the left pane of the console if you can add or remove log sources in your Regions or account.\n\n\n\nYou can also collect data from custom sources, such as Bind DNS logs, endpoint telemetry logs, on-premise Netflow logs, and so on. Before adding a custom source, you need to create [AWS IAM](https://aws.amazon.com/cn/iam/?trk=cndc-detail) role to grant permissions for [AWS Glue](https://aws.amazon.com/cn/glue/?trk=cndc-detail).\n\nTo create a custom data source, choose **Create custom source** in the left menu of **Custom sources**.\n\n\n\n\nIt requires you to enter the IAM role Amazon Resource Names (ARNs) to write data to Security Lake and invoke [AWS Glue](https://aws.amazon.com/cn/glue/?trk=cndc-detail) on your behalf. Then, you can provide details about your custom source.\n\nFor efficient data processing and querying, objects from your custom sources should be partitioned by AWS Region, AWS account, year, month, day, and hour with a Parquet-formatted object.\n\n\n### ++Consume Your Data from Security Lake++\nNow you can create a subscriber, a service that consumes logs and events from Security Lake. To add or see your subscribers, choose **Subscribers** in the left pane of the console.\n\n\n\nThe Security Lake supports two types of subscriber data access methods:\n\n- **Data access ([Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail))** – Subscribers are notified of new objects for a source as the data is written to your Security Lake S3 bucket. You can choose to notify subscribers of new objects with an [Amazon Simple Queue Service ](https://aws.amazon.com/sqs)([Amazon SQS](https://aws.amazon.com/cn/sqs/?trk=cndc-detail)) queue or through messaging to an HTTPS endpoint provided by the subscriber. This type is useful to ingest selected data in your analytics application—good for use cases that require frequent access to data.\n\n- **Query access (Lake Formation)** – Subscribers can consume data by directly querying [AWS Lake Formation](https://aws.amazon.com/cn/lake-formation/?trk=cndc-detail) tables in your S3 bucket through services like [Amazon Athena](https://aws.amazon.com/athena). This type is useful to provide on-demand query access to data without the need to pre-ingest anything and for use cases that require infrequent access or on large volume sources too expensive to ingest upfront or retain in analytics tools.\n\nWhen you add a subscriber, you can choose [Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail) to create data access for the subscriber. If you select the default method of notification, you can receive the following object notification message in either an HTTPS endpoint or [Amazon SQS](https://aws.amazon.com/cn/sqs/?trk=cndc-detail).\n\n```\\n{\\n \\"source\\": \\"aws.s3\\",\\n \\"time\\": \\"2021-11-12T00:00:00Z\\",\\n \\"region\\": \\"ca-central-1\\",\\n \\"resources\\": [\\n \\"arn:aws:s3:::example-bucket\\"\\n ],\\n \\"detail\\": {\\n \\"bucket\\": {\\n \\"name\\": \\"example-bucket\\"\\n },\\n \\"object\\": {\\n \\"key\\": \\"example-key\\",\\n \\"size\\": 5,\\n \\"etag\\": \\"b57f9512698f4b09e608f4f2a65852e5\\"\\n },\\n \\"request-id\\": \\"N4N7GDK58NMKJ12R\\",\\n \\"requester\\": \\"123456789012\\"\\n }\\n}\\n```\n\nSubscribers with query access can directly query data that is stored in Security Lake by using services like [Amazon Athena](https: //aws.amazon.com/cn/athena/?trk=cndc-detail) and other services that can read from [AWS Lake Formation](https://aws.amazon.com/cn/lake-formation/?trk=cndc-detail). The following are sample queries of CloudTrail data.\n\n\n```\\nSELECT \\n time, \\n api.service.name, \\n api.operation, \\n api.response.error, \\n api.response.message, \\n src_endpoint.ip \\n FROM \${athena_db}.\${athena_table}\\n WHERE eventHour BETWEEN '\${query_start_time}' and '\${query_end_time}' \\n AND api.response.error in (\\n 'Client.UnauthorizedOperation',\\n 'Client.InvalidPermission.NotFound',\\n 'Client.OperationNotPermitted',\\n 'AccessDenied')\\n ORDER BY time desc\\n LIMIT 25\\n```\n\nSubscribers only have access to source data in the AWS Region that you’ve selected when you create the subscriber. To give a subscriber access to data from multiple Regions, you can set the Region where you create your subscriber as a rollup Region.\n\n### ++Third-Party Integrations++\nFor supported third-party integrations, there are a number of sources as well as subscribing services integrated with [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail).\n\n[Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail) supports third-party sources providing OCSF security data, including [Barracuda Networks](https://blog.barracuda.com/2022/11/29/barracuda-integration-aws-security-lake/), [Cisco](https://blogs.cisco.com/security/cisco-joins-amazon-web-services-aws-for-the-launch-of-security-lake), [Cribl](https://cribl.io/blog/when-stream-meets-lake-cribl-integrates-with-new-amazon-security-lake/), CrowdStrike, [CyberArk](https://www.cyberark.com/resources/product-announcements-blog/cyberark-audit-delivers-security-event-information-to-amazon-security-lake), [Lacework](https://www.lacework.com/blog/lacework-integrates-with-amazon-security-lake-to-reduce-complexity-in-your-cloud), [Laminar](https://laminarsecurity.com/blog/laminar-integrates-with-amazon-security-lake/), [Netscout](https://www.netscout.com/blog/utilizing-netscout-deep-packet-inspection-technology-enrich), Netskope, [Okta](https://www.okta.com/blog/2022/11/amazon-security-lake-and-okta-make-data-more-accessible-for-increased-security/), Orca, [Palo Alto Networks](https://www.paloaltonetworks.com/blog/prisma-cloud/amazon-security-lake), Ping Identity, [SecurityScorecard](https://securityscorecard.com/blog/up-level-your-amazon-security), [Tanium](https://tanium.com/blog/ocsf-amazon-security-lake/), The Falco Project, Trend Micro, Vectra AI, [VMware](https://blogs.vmware.com/management/2022/11/vmware-aria-automation-for-secure-clouds-integration-with-amazon-security-lake.html), [Wiz](https://www.wiz.io/blog/wiz-launches-support-for-ocsf-to-detect-and-resolve-cloud-security-issues), and Zscaler.\n\n\nYou can also use third-party security, automation, and analytics tools supporting Security Lake, including [Datadog](https://www.datadoghq.com/blog/analyze-amazon-security-lake-logs-with-datadog), [IBM](https://community.ibm.com/community/user/security/blogs/gaurav-sharma/2022/11/10/ibm-qradar-and-aws-announcement), Rapid7, Securonix, SentinelOne, [Splunk](https://www.splunk.com/en_us/blog/security/splunk-integrates-with-amazon-security-lake-to-deliver-analytics-using-the-open-cybersecurity-schema-framework.html), Sumo Logic, and [Trellix](https://www.trellix.com/en-us/about/newsroom/stories/xdr/trellix-leverages-amazon-security-lake.html). There are also service partners such as Accenture, Atos, Deloitte, DXC, Kyndryl, PWC, Rackspace, and Wipro that can work with you and [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail).\n\n### ++Join the Preview++\nThe preview release of [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail) is now available in the US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), and Europe (Ireland) Regions.\n\n\nTo learn more, see the [Amazon Security Lake page](https://aws.amazon.com/security-lake/) and [Amazon Security Lake User Guide](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html). We want to hear more feedback during the preview. Please send feedback in [AWS re:Post](https://repost.aws/) and through your usual AWS support contacts.\n\n– [Channy](https://twitter.com/)\n\n\n\n\n\n### **[Channy Yun](https://aws.amazon.com/blogs/aws/author/channy-yun/)**\nChanny Yun is a Principal Developer Advocate for AWS, and passionate about helping developers to build modern applications on latest AWS services. A pragmatic developer and blogger at heart, he loves community-driven learning and sharing of technology, which has funneled developers to global AWS Usergroups. His main topics are open-source, container, storage, network & security, and IoT. Follow him on Twitter at @channyun.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n","render":"<p>To identify potential security threats and vulnerabilities, customers should enable logging across their various resources and centralize these logs for easy access and use within analytics tools. Some of these data sources include logs from on-premises infrastructure, firewalls, and endpoint security solutions, and when utilizing the cloud, services such as <a href=\\"https://aws.amazon.com/route53\\" target=\\"_blank\\">Amazon Route 53</a>, <a href=\\"https://aws.amazon.com/cloudtrail\\" target=\\"_blank\\">AWS CloudTrail</a>, and <a href=\\"https://aws.amazon.com/vpc\\" target=\\"_blank\\">Amazon Virtual Private Cloud</a> ([Amazon VPC](https://aws.amazon.com/cn/vpc/?trk=cndc-detail)).</p>\\n<p>The <a href=\\"https://aws.amazon.com/s3\\" target=\\"_blank\\">Amazon Simple Storage Service</a> ([Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail)) and <a href=\\"https://aws.amazon.com/lakeformation\\" target=\\"_blank\\">AWS Lake Formation</a> simplify the creation and management of a <a href=\\"https://aws.amazon.com/big-data/datalakes-and-analytics/what-is-a-data-lake/\\" target=\\"_blank\\">data lake on AWS</a>. But, some customers’ security teams still struggle to define and implement security domain–specific aspects, such as data normalization, which requires them to analyze each log source’s structure and fields, define schemas and mappings, and pull in data enrichment such as threat intelligence.</p>\\n<p>Today we are announcing the preview release of <strong><a href=\\"https://aws.amazon.com/security-lake/\\" target=\\"_blank\\">Amazon Security Lake</a></strong>, a purpose-built service that automatically centralizes an organization’s security data from cloud and on-premises sources into a purpose-built data lake stored in your account. Amazon Security Lake automates the central management of security data, normalizing from integrated AWS services and third-party services and managing the lifecycle of data with customizable retention and also automates storage tiering.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/2fdfad92f49344029c9d10b22786525d_image.png\\" alt=\\"image.png\\" /></p>\n<p>Here are the key features of Amazon Security Lake:</p>\n<ul>\\n<li>\\n<p><strong>Variety of supported log and event sources</strong> – During the preview, [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail) automatically collects logs for [AWS CloudTrail](https://aws.amazon.com/cn/cloudtrail/?trk=cndc-detail), [Amazon VPC](https://aws.amazon.com/cn/vpc/?trk=cndc-detail), [Amazon Route 53](https://aws.amazon.com/cn/route53/?trk=cndc-detail), [Amazon S3](https://aws.amazon.com/cn/s3/?trk=cndc-detail), and <a href=\\"https://aws.amazon.com/lambda\\" target=\\"_blank\\">AWS Lambda</a>, as well as security findings via <a href=\\"https://aws.amazon.com/security-hub/\\" target=\\"_blank\\">AWS Security</a> Hub for <a href=\\"https://aws.amazon.com/config\\" target=\\"_blank\\">AWS Config</a>, <a href=\\"https://aws.amazon.com/firewall-manager/\\" target=\\"_blank\\">AWS Firewall Manager</a>, <a href=\\"https://aws.amazon.com/guardduty/\\" target=\\"_blank\\">Amazon GuardDuty</a>, <a href=\\"https://health.aws.amazon.com/\\" target=\\"_blank\\">AWS Health Dashboard</a>, <a href=\\"https://aws.amazon.com/iam/features/analyze-access/\\" target=\\"_blank\\">AWS IAM Access Analyzer</a>, <a href=\\"https://aws.amazon.com/inspector/\\" target=\\"_blank\\">Amazon Inspector</a>, <a href=\\"https://aws.amazon.com/macie/\\" target=\\"_blank\\">Amazon Macie</a>, and <a href=\\"https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html\\" target=\\"_blank\\">AWS Systems Manager Patch Manager</a>. Additionally, over 50 sources of third-party security findings can be sent to [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail). Security Partners are also directly sending data in a standard schema called the <a href=\\"https://github.com/ocsf\\" target=\\"_blank\\">Open Cybersecurity Schema Framework</a> (OCSF) format to [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail), such as Cisco Security, CrowdStrike, Palo Alto Networks, and more.</p>\\n</li>\n<li>\\n<p><strong>Data transformation and normalization</strong> – Security Lake automatically partitions and converts incoming log data to a storage and query-efficient <a href=\\"https://parquet.apache.org/\\" target=\\"_blank\\">Apache Parquet</a> and OCSF format, making the data broadly and immediately usable for security analytics without the need for post-processing. Security Lake supports integrations with analytics partners such as IBM, Splunk, Sumo Logic, and more to address a variety of security use cases such as threat detection, investigation, and incident response.</p>\\n</li>\n<li>\\n<p><strong>Customizable data access levels</strong> – You can configure the level of subscribers consuming data stored in the Security Lake, such as specific data sources for data access to all new objects or directly querying data stored. You can also specify a rollup Region that the Security Lake is available in and multiple AWS accounts across your <a href=\\"https://aws.amazon.com/organizations\\" target=\\"_blank\\">AWS Organizations</a>. This can help you comply with data residency compliance requirements.</p>\\n</li>\n</ul>\\n<p>By reducing the operational overhead of security data management, you can make it easier to gather more security signals from across your organization and analyze that data to improve the protection of your data, applications, and workloads.</p>\n<h3><a id=\\"Configure_Your_Security_Lake_for_Collection_Data_22\\"></a><ins>Configure Your Security Lake for Collection Data</ins></h3>\\n<p>To get started with Amazon Security Lake, choose Get started in the AWS console. You can enable log and event sources for all Regions and all accounts.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/1772b9f5864645e4825a94f1bdc5c86d_image.png\\" alt=\\"image.png\\" /></p>\n<p>You can select log and event sources such as CloudTrail logs, VPC flow logs, and Route53 resolver logs into your data lake. Select Regions will contribute their data to your data lake with the Amazon S3-managed encryption that Amazon S3 will create and manage all encryption keys, as well as the specific AWS accounts in your organizations.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/c2caab868ed8435ab8254275c0e33d77_image.png\\" alt=\\"image.png\\" /></p>\n<p>Next, you can select rollup and contributing Regions. All aggregated data from contributing Regions reside in the rollup Region. You can create multiple rollup Regions, which can help you comply with data residency compliance requirements. Optionally, you can define the Amazon S3 storage classes and the retention period you want the data to transition from the standard Amazon S3 storage classes used in Security Lake.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/50c6a7f1e59d4ab5898b84daeca09991_image.png\\" alt=\\"image.png\\" /></p>\n<p>After initial configuration, choose <strong>Sources</strong> in the left pane of the console if you can add or remove log sources in your Regions or account.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/4be0d5162ffc4b4397888ec27844df11_image.png\\" alt=\\"image.png\\" /></p>\n<p>You can also collect data from custom sources, such as Bind DNS logs, endpoint telemetry logs, on-premise Netflow logs, and so on. Before adding a custom source, you need to create AWS IAM role to grant permissions for AWS Glue.</p>\n<p>To create a custom data source, choose <strong>Create custom source</strong> in the left menu of <strong>Custom sources</strong>.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/2b9d3f462a394617b69eec0730ac4ec2_image.png\\" alt=\\"image.png\\" /></p>\n<p>It requires you to enter the IAM role Amazon Resource Names (ARNs) to write data to Security Lake and invoke AWS Glue on your behalf. Then, you can provide details about your custom source.</p>\n<p>For efficient data processing and querying, objects from your custom sources should be partitioned by AWS Region, AWS account, year, month, day, and hour with a Parquet-formatted object.</p>\n<h3><a id=\\"Consume_Your_Data_from_Security_Lake_52\\"></a><ins>Consume Your Data from Security Lake</ins></h3>\\n<p>Now you can create a subscriber, a service that consumes logs and events from Security Lake. To add or see your subscribers, choose <strong>Subscribers</strong> in the left pane of the console.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/8e8172657abe47f88a1711f1a94e0912_image.png\\" alt=\\"image.png\\" /></p>\n<p>The Security Lake supports two types of subscriber data access methods:</p>\n<ul>\\n<li>\\n<p><strong>Data access (Amazon S3)</strong> – Subscribers are notified of new objects for a source as the data is written to your Security Lake S3 bucket. You can choose to notify subscribers of new objects with an <a href=\\"https://aws.amazon.com/sqs\\" target=\\"_blank\\">Amazon Simple Queue Service </a>([Amazon SQS](https://aws.amazon.com/cn/sqs/?trk=cndc-detail)) queue or through messaging to an HTTPS endpoint provided by the subscriber. This type is useful to ingest selected data in your analytics application—good for use cases that require frequent access to data.</p>\\n</li>\n<li>\\n<p><strong>Query access (Lake Formation)</strong> – Subscribers can consume data by directly querying [AWS Lake Formation](https://aws.amazon.com/cn/lake-formation/?trk=cndc-detail) tables in your S3 bucket through services like <a href=\\"https://aws.amazon.com/athena\\" target=\\"_blank\\">Amazon Athena</a>. This type is useful to provide on-demand query access to data without the need to pre-ingest anything and for use cases that require infrequent access or on large volume sources too expensive to ingest upfront or retain in analytics tools.</p>\\n</li>\n</ul>\\n<p>When you add a subscriber, you can choose Amazon S3 to create data access for the subscriber. If you select the default method of notification, you can receive the following object notification message in either an HTTPS endpoint or Amazon SQS.</p>\n<pre><code class=\\"lang-\\">{\\n &quot;source&quot;: &quot;aws.s3&quot;,\\n &quot;time&quot;: &quot;2021-11-12T00:00:00Z&quot;,\\n &quot;region&quot;: &quot;ca-central-1&quot;,\\n &quot;resources&quot;: [\\n &quot;arn:aws:s3:::example-bucket&quot;\\n ],\\n &quot;detail&quot;: {\\n &quot;bucket&quot;: {\\n &quot;name&quot;: &quot;example-bucket&quot;\\n },\\n &quot;object&quot;: {\\n &quot;key&quot;: &quot;example-key&quot;,\\n &quot;size&quot;: 5,\\n &quot;etag&quot;: &quot;b57f9512698f4b09e608f4f2a65852e5&quot;\\n },\\n &quot;request-id&quot;: &quot;N4N7GDK58NMKJ12R&quot;,\\n &quot;requester&quot;: &quot;123456789012&quot;\\n }\\n}\\n</code></pre>\\n<p>Subscribers with query access can directly query data that is stored in Security Lake by using services like Amazon Athena and other services that can read from AWS Lake Formation. The following are sample queries of CloudTrail data.</p>\n<pre><code class=\\"lang-\\">SELECT \\n time, \\n api.service.name, \\n api.operation, \\n api.response.error, \\n api.response.message, \\n src_endpoint.ip \\n FROM \${athena_db}.\${athena_table}\\n WHERE eventHour BETWEEN '\${query_start_time}' and '\${query_end_time}' \\n AND api.response.error in (\\n 'Client.UnauthorizedOperation',\\n 'Client.InvalidPermission.NotFound',\\n 'Client.OperationNotPermitted',\\n 'AccessDenied')\\n ORDER BY time desc\\n LIMIT 25\\n</code></pre>\\n<p>Subscribers only have access to source data in the AWS Region that you’ve selected when you create the subscriber. To give a subscriber access to data from multiple Regions, you can set the Region where you create your subscriber as a rollup Region.</p>\n<h3><a id=\\"ThirdParty_Integrations_112\\"></a><ins>Third-Party Integrations</ins></h3>\\n<p>For supported third-party integrations, there are a number of sources as well as subscribing services integrated with Amazon Security Lake.</p>\n<p>Amazon Security Lake supports third-party sources providing OCSF security data, including <a href=\\"https://blog.barracuda.com/2022/11/29/barracuda-integration-aws-security-lake/\\" target=\\"_blank\\">Barracuda Networks</a>, <a href=\\"https://blogs.cisco.com/security/cisco-joins-amazon-web-services-aws-for-the-launch-of-security-lake\\" target=\\"_blank\\">Cisco</a>, <a href=\\"https://cribl.io/blog/when-stream-meets-lake-cribl-integrates-with-new-amazon-security-lake/\\" target=\\"_blank\\">Cribl</a>, CrowdStrike, <a href=\\"https://www.cyberark.com/resources/product-announcements-blog/cyberark-audit-delivers-security-event-information-to-amazon-security-lake\\" target=\\"_blank\\">CyberArk</a>, <a href=\\"https://www.lacework.com/blog/lacework-integrates-with-amazon-security-lake-to-reduce-complexity-in-your-cloud\\" target=\\"_blank\\">Lacework</a>, <a href=\\"https://laminarsecurity.com/blog/laminar-integrates-with-amazon-security-lake/\\" target=\\"_blank\\">Laminar</a>, <a href=\\"https://www.netscout.com/blog/utilizing-netscout-deep-packet-inspection-technology-enrich\\" target=\\"_blank\\">Netscout</a>, Netskope, <a href=\\"https://www.okta.com/blog/2022/11/amazon-security-lake-and-okta-make-data-more-accessible-for-increased-security/\\" target=\\"_blank\\">Okta</a>, Orca, <a href=\\"https://www.paloaltonetworks.com/blog/prisma-cloud/amazon-security-lake\\" target=\\"_blank\\">Palo Alto Networks</a>, Ping Identity, <a href=\\"https://securityscorecard.com/blog/up-level-your-amazon-security\\" target=\\"_blank\\">SecurityScorecard</a>, <a href=\\"https://tanium.com/blog/ocsf-amazon-security-lake/\\" target=\\"_blank\\">Tanium</a>, The Falco Project, Trend Micro, Vectra AI, <a href=\\"https://blogs.vmware.com/management/2022/11/vmware-aria-automation-for-secure-clouds-integration-with-amazon-security-lake.html\\" target=\\"_blank\\">VMware</a>, <a href=\\"https://www.wiz.io/blog/wiz-launches-support-for-ocsf-to-detect-and-resolve-cloud-security-issues\\" target=\\"_blank\\">Wiz</a>, and Zscaler.</p>\\n<p>You can also use third-party security, automation, and analytics tools supporting Security Lake, including <a href=\\"https://www.datadoghq.com/blog/analyze-amazon-security-lake-logs-with-datadog\\" target=\\"_blank\\">Datadog</a>, <a href=\\"https://community.ibm.com/community/user/security/blogs/gaurav-sharma/2022/11/10/ibm-qradar-and-aws-announcement\\" target=\\"_blank\\">IBM</a>, Rapid7, Securonix, SentinelOne, <a href=\\"https://www.splunk.com/en_us/blog/security/splunk-integrates-with-amazon-security-lake-to-deliver-analytics-using-the-open-cybersecurity-schema-framework.html\\" target=\\"_blank\\">Splunk</a>, Sumo Logic, and <a href=\\"https://www.trellix.com/en-us/about/newsroom/stories/xdr/trellix-leverages-amazon-security-lake.html\\" target=\\"_blank\\">Trellix</a>. There are also service partners such as Accenture, Atos, Deloitte, DXC, Kyndryl, PWC, Rackspace, and Wipro that can work with you and [Amazon Security Lake](https://aws.amazon.com/cn/security-lake/?trk=cndc-detail).</p>\\n<h3><a id=\\"Join_the_Preview_120\\"></a><ins>Join the Preview</ins></h3>\\n<p>The preview release of Amazon Security Lake is now available in the US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), and Europe (Ireland) Regions.</p>\n<p>To learn more, see the <a href=\\"https://aws.amazon.com/security-lake/\\" target=\\"_blank\\">Amazon Security Lake page</a> and <a href=\\"https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html\\" target=\\"_blank\\">Amazon Security Lake User Guide</a>. We want to hear more feedback during the preview. Please send feedback in <a href=\\"https://repost.aws/\\" target=\\"_blank\\">AWS re:Post</a> and through your usual AWS support contacts.</p>\\n<p>– <a href=\\"https://twitter.com/\\" target=\\"_blank\\">Channy</a></p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/f28b07868dd74da2b3887519fe60e22f_image.png\\" alt=\\"image.png\\" /></p>\n<h3><a id=\\"Channy_Yunhttpsawsamazoncomblogsawsauthorchannyyun_132\\"></a><strong><a href=\\"https://aws.amazon.com/blogs/aws/author/channy-yun/\\" target=\\"_blank\\">Channy Yun</a></strong></h3>\n<p>Channy Yun is a Principal Developer Advocate for AWS, and passionate about helping developers to build modern applications on latest AWS services. A pragmatic developer and blogger at heart, he loves community-driven learning and sharing of technology, which has funneled developers to global AWS Usergroups. His main topics are open-source, container, storage, network &amp; security, and IoT. Follow him on Twitter at @channyun.</p>\n"}