AWS S3 Bucket
Integrating Keeper SIEM push to an Amazon S3 bucket endpoint
Overview
Keeper supports event streaming into an Amazon S3 bucket. Setup instructions are below.
S3 Bucket Configuration
(1) In AWS, create an S3 bucket and of course ensure that all permissions are locked down.
(2) Create a user account without console access and assign a basic role policy which can only put files within the bucket. Example below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::name_of_bucket/*"
]
}
]
}(3) Generate Access Key and Secret Key, provide those to the Admin Console user interface along with the Bucket Name. You can select different time intervals for the file uploads. You can also select the file format which includes:
JSON
Syslog
CSV
Files will be posted only when events occur during the interval. In the example below, the json files are posted every hour when there is activity in the system.
Log File Examples
Syslog File
<165>1 2023-10-30T02:18:43.776Z keepersecurity.jp keeper - - - {"audit_event":"device_user_approval_requested","device_name":"iPhone","remote_address":"12.34.56.78","category":"security","client_version":"iPhone.16.9.4","username":"craig@keeperdemo.io","enterprise_id":50,"client_version_new":true}^M
<165>1 2023-10-30T02:19:19.587Z keepersecurity.jp keeper - - - {"audit_event":"device_approved","device_name":"iPhone","remote_address":"12.34.56.78","category":"security","client_version":"iPhone.16.9.4","username":"craig@keeperdemo.io","enterprise_id":50}^M
<165>1 2023-10-30T02:19:51.774Z keepersecurity.jp keeper - - - {"audit_event":"login","channel":"PASS","remote_address":"12.34.56.78","category":"login","client_version":"iPhone.16.9.4","username":"craig@keeperdemo.io","enterprise_id":50}^MJSON File
[{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:17.545Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:27.200Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"audit_event":"login","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:22.740Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"record_uid":"ac3QeHmeGz6Jyb7wnuHnfQ","audit_event":"open_record","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:56.634Z","username":"craig@keeperdemo.io","enterprise_id":67241},{"record_uid":"ac3QeHmeGz6Jyb7wnuHnfQ","audit_event":"fast_fill","remote_address":"12.34.56.78","client_version":"iPhone.16.9.3","timestamp":"2023-09-20T21:33:56.634Z","username":"craig@keeperdemo.io","enterprise_id":67241}]CSV File
audit_event,name,remote_address,category,client_version,timestamp,username,enterprise_id
audit_sync_setup,s3,12.34.56.78,policy,EMConsole.16.15.3,1698759022585,craig@keeperdemo.io,50
role_created,,12.34.56.78,policy,EMConsole.16.15.3,1698759049640,craig@keeperdemo.io,50
role_enforcement_changed,,12.34.56.78,policy,EMConsole.16.15.3,1698759049876,craig@keeperdemo.io,50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759136968,craig@keeperdemo.io,50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759136979,craig@keeperdemo.io,50
lock_user,,12.34.56.78,security,EMConsole.16.15.3,1698759169004,craig@keeperdemo.io,50
added_to_role,,12.34.56.78,security,EMConsole.16.15.3,1698759134936,craig@keeperdemo.io,50