AWS S3

Integrating Keeper SIEM push to an Amazon S3 bucket endpoint

Overview

Keeper supports event streaming into an Amazon S3. Setup instructions are below.

S3 Configuration

(1) In AWS, create an S3 bucket and of course ensure that all permissions are locked down.

(2) Create a user account without console access and assign a basic role policy which can only put files within the bucket. Example below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::name_of_bucket/*"
            ]
        }
    ]
}

(3) Generate Access Key and Secret Key, provide those to the Admin Console user interface along with the Bucket Name. You can select different time intervals for the file uploads. You can also select the file format which includes:

JSON
Syslog
CSV

For the Bucket Name, provide a full ARN that includes the region. For example: arn:aws:s3:us-west-2::my-keeper-events

Files will be posted only when events occur during the interval. In the example below, the json files are posted every hour when there is activity in the system.

If you set the time frame to a "day", all events will accumulate until the day has ended (using UTC clock) and then a new file containing all day events will be added to your S3 bucket.

Log File Examples

Syslog File

<165>1 2023-10-30T02:18:43.776Z keepersecurity.jp keeper - - - {"audit_event":"device_user_approval_requested","device_name":"iPhone","remote_address":"12.34.56.78","category":"security","client_version":"iPhone.16.9.4","username":"[email protected]","enterprise_id":50,"client_version_new":true}^M

<165>1 2023-10-30T02:19:19.587Z keepersecurity.jp keeper - - - {"audit_event":"device_approved","device_name":"iPhone","remote_address":"12.34.56.78","category":"security","client_version":"iPhone.16.9.4","username":"[email protected]","enterprise_id":50}^M

<165>1 2023-10-30T02:19:51.774Z keepersecurity.jp keeper - - - {"audit_event":"login","channel":"PASS","remote_address":"12.34.56.78","category":"login","client_version":"iPhone.16.9.4","username":"[email protected]","enterprise_id":50}^M

JSON File

[{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:17.545Z","username":"[email protected]","enterprise_id":67241},{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:27.200Z","username":"[email protected]","enterprise_id":67241},{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:22.740Z","username":"[email protected]","enterprise_id":67241},{"record_uid":"ac3QeHmeGz6Jyb7wnuHnfQ","audit_event":"open_record","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:56.634Z","username":"[email protected]","enterprise_id":67241},{"record_uid":"ac3QeHmeGz6Jyb7wnuHnfQ","audit_event":"fast_fill","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:56.634Z","username":"[email protected]","enterprise_id":67241}]

CSV File

audit_event,name,remote_address,category,client_version,timestamp,username,enterprise_id
audit_sync_setup,s3,12.34.56.78,policy,EMConsole.16.15.3,1698759022585,[email protected],50
role_created,,12.34.56.78,policy,EMConsole.16.15.3,1698759049640,[email protected],50
role_enforcement_changed,,12.34.56.78,policy,EMConsole.16.15.3,1698759049876,[email protected],50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759136968,[email protected],50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759136979,[email protected],50
lock_user,,12.34.56.78,security,EMConsole.16.15.3,1698759169004,[email protected],50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759134936,[email protected],50

PreviousEvent Descriptions NextMicrosoft Sentinel

Last updated 1 month ago

Was this helpful?

hashtagOverview

hashtagS3 Configuration

hashtagLog File Examples

hashtagSyslog File

hashtagJSON File

hashtagCSV File