Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
# Amazon Security Lake
Amazon Security Lake centralizza automaticamente i dati di sicurezza provenienti da AWS ambienti, fornitori di software as a service (SaaS), fonti locali e cloud in un data lake appositamente creato e archiviato nel tuo. Account AWS Con Security Lake, puoi ottenere una comprensione più completa dei tuoi dati di sicurezza in tutta l'organizzazione. Security Lake ha adottato l'Open Cybersecurity Schema Framework (OCSF), uno schema di eventi di sicurezza open source. Con il supporto OCSF, il servizio normalizza e combina i dati di sicurezza provenienti da AWS un'ampia gamma di fonti di dati di sicurezza aziendali.
## AppFabric verifica: considerazioni sull'ingestione dei log
Puoi inserire i log di controllo SaaS in Amazon Security Lake direttamente Account AWS da te aggiungendo una fonte personalizzata a Security Lake. Le seguenti sezioni descrivono lo schema AppFabric di output, il formato di output e le destinazioni di output da utilizzare con Security Lake.
### Schema e formato
Security Lake supporta lo schema e il formato di AppFabric output seguenti:
+ OCSF - JSON
+ AppFabric normalizza i dati utilizzando l'Open Cybersecurity Schema Framework (OCSF) e li restituisce in formato JSON.
### Posizioni di output
Security Lake supporta AppFabric come origine personalizzata l'utilizzo di un flusso di distribuzione Amazon Data Firehose come posizione di output di AppFabric ingestione. Per configurare la AWS Glue tabella e il flusso di distribuzione di Firehose e per configurare un'origine personalizzata in Security Lake, utilizzare le seguenti procedure.
### Creare una tabella AWS Glue
1. Accedi ad Amazon Simple Storage Service (Amazon S3) Simple Storage Service (Amazon S3) e crea un bucket con un nome a tua scelta.
1. Passa alla console. AWS Glue
1. Per **Data Catalog**, vai alla sezione **Tabelle** e scegli **Aggiungi tabella**.
1. Inserisci un nome a tua scelta per questa tabella.
1. Seleziona il bucket Amazon S3 che hai creato nel passaggio 1.
1. **Per il formato dei dati, seleziona **JSON** e scegli Avanti.**
1. Nella pagina **Scegli o definisci lo schema**, scegli **Modifica schema come JSON**.
1. Inserisci lo schema seguente e completa il processo di creazione della AWS Glue tabella.
```
[
{
"Name": "message",
"Type": "string"
},
{
"Name": "process",
"Type": "struct,group:struct,tid:int,cmd_line:string,container:struct,hash:struct>,created_time:bigint,parent_process:struct,type:string,version:string,path:string,uid:string,type_id:int,mime_type:string,parent_folder:string,data_classification:struct,hashes:array>,is_system:boolean,modified_time:bigint,xattributes:string>,user:struct,type_id:int,uid_alt:string>,group:struct>,tid:int,uid:string,cmd_line:string,container:struct,hash:struct,network_driver:string,pod_uuid:string>,created_time:bigint,namespace_pid:int,auid:int,euid:int,egid:int>>"
},
{
"Name": "status",
"Type": "string"
},
{
"Name": "time",
"Type": "bigint"
},
{
"Name": "device",
"Type": "struct,type:string,ip:string,hostname:string,mac:string,image:struct,type_id:int,container:struct,hash:struct>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,network_interfaces:array>,region:string,risk_score:int,modified_time_dt:string>"
},
{
"Name": "metadata",
"Type": "struct,url_string:string,vendor_name:string>,data_classification:struct,event_code:string,log_name:string,log_provider:string,original_time:string,tenant_uid:string,processed_time_dt:string>"
},
{
"Name": "severity",
"Type": "string"
},
{
"Name": "duration",
"Type": "int"
},
{
"Name": "type_name",
"Type": "string"
},
{
"Name": "activity_id",
"Type": "int"
},
{
"Name": "type_uid",
"Type": "int"
},
{
"Name": "observables",
"Type": "array>"
},
{
"Name": "category_name",
"Type": "string"
},
{
"Name": "class_uid",
"Type": "int"
},
{
"Name": "category_uid",
"Type": "int"
},
{
"Name": "class_name",
"Type": "string"
},
{
"Name": "timezone_offset",
"Type": "int"
},
{
"Name": "end_time",
"Type": "bigint"
},
{
"Name": "activity_name",
"Type": "string"
},
{
"Name": "cloud",
"Type": "struct,project_uid:string,provider:string,region:string>"
},
{
"Name": "query_info",
"Type": "struct"
},
{
"Name": "query_result",
"Type": "string"
},
{
"Name": "query_result_id",
"Type": "int"
},
{
"Name": "severity_id",
"Type": "int"
},
{
"Name": "status_code",
"Type": "string"
},
{
"Name": "status_detail",
"Type": "string"
},
{
"Name": "status_id",
"Type": "int"
},
{
"Name": "network_interfaces",
"Type": "array>"
},
{
"Name": "file",
"Type": "struct>,type_id:int,email_addr:string>,creator:struct,parent_folder:string,data_classification:struct,hashes:array>,security_descriptor:string,accessed_time_dt:string,modified_time_dt:string>"
},
{
"Name": "actor",
"Type": "struct,is_system:boolean,xattributes:string,modified_time_dt:string>,user:struct,group:struct,loaded_modules:array,cmd_line:string,container:struct,hash:struct,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct>,hashes:array>>,user:struct,type_id:int,risk_level:string,uid_alt:string>,group:struct,uid:string,cmd_line:string,container:struct,hash:struct,network_driver:string>,created_time:bigint,integrity:string,namespace_pid:int,parent_process:struct,type_id:int,created_time:bigint,data_classification:struct,hashes:array>,xattributes:string,created_time_dt:string>,group:struct,uid:string,loaded_modules:array,cmd_line:string,container:struct,hash:struct>,sandbox:string,egid:int,created_time_dt:string>,created_time_dt:string>,terminated_time:bigint,auid:int>,user:struct,app_name:string,idp:struct,invoked_by:string>"
},
{
"Name": "dst_endpoint",
"Type": "struct,port:int,type:string,ip:string,location:struct,continent:string>,hostname:string,uid:string,type_id:int,autonomous_system:struct,container:struct,hash:struct,orchestrator:string>,hw_info:struct,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string>"
},
{
"Name": "src_endpoint",
"Type": "struct,groups:array>,type_id:int,credential_uid:string,email_addr:string,ldap_person:struct>,port:int,type:string,ip:string,location:struct,continent:string>,hostname:string,uid:string,type_id:int,container:struct,hash:struct,pod_uuid:string>,instance_uid:string,interface_name:string,interface_uid:string,intermediate_ips:array,namespace_pid:int,svc_name:string,vpc_uid:string>"
},
{
"Name": "user",
"Type": "struct>,type_id:int>"
},
{
"Name": "resource",
"Type": "struct>>>,cloud_partition:string,data_classification:struct>"
},
{
"Name": "privileges",
"Type": "array"
},
{
"Name": "action",
"Type": "string"
},
{
"Name": "action_id",
"Type": "int"
},
{
"Name": "protocol_ver",
"Type": "string"
},
{
"Name": "proxy",
"Type": "struct>,autonomous_system:struct,container:struct>,instance_uid:string,interface_name:string,interface_uid:string,intermediate_ips:array,namespace_pid:int,proxy_endpoint:struct>,hash:struct,network_driver:string,pod_uuid:string>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,proxy_endpoint:struct,container:struct,hash:struct>,intermediate_ips:array,namespace_pid:int,svc_name:string>,subnet_uid:string,svc_name:string,zone:string>,svc_name:string>"
},
{
"Name": "client_hassh",
"Type": "struct>"
},
{
"Name": "authorizations",
"Type": "array"
},
{
"Name": "proxy_tls",
"Type": "struct>,created_time:bigint,expiration_time:bigint,serial_number:string>,cipher:string,sni:string,certificate_chain:array,client_ciphers:array,ja3_hash:struct,ja3s_hash:struct>"
},
{
"Name": "load_balancer",
"Type": "struct,credential_uid:string,ldap_person:struct,type_id:int>,given_name:string,ldap_dn:string,leave_time:bigint,modified_time:bigint,surname:string>>,port:int,type:string,os:struct,ip:string,hostname:string,uid:string,type_id:int,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string,vlan_uid:string>,endpoint_connections:array,created_time:bigint,hire_time:bigint,ldap_dn:string,surname:string,modified_time_dt:string,deleted_time_dt:string>,groups:array>,full_name:string,email_addr:string,risk_level:string,risk_level_id:int>,port:int,type:string,ip:string,hostname:string,type_id:int,container:struct,hash:struct,network_driver:string>,instance_uid:string,interface_name:string,namespace_pid:int,proxy_endpoint:struct>,type_id:int,full_name:string,email_addr:string,risk_score:int,uid_alt:string>,port:int,type:string,hostname:string,uid:string,type_id:int,autonomous_system:struct,container:struct,hash:struct,orchestrator:string,pod_uuid:string>,hw_info:struct>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string>,subnet_uid:string,svc_name:string,uid:string,interface_uid:string,intermediate_ips:array>>>,metrics:array>>"
},
{
"Name": "disposition_id",
"Type": "int"
},
{
"Name": "disposition",
"Type": "string"
},
{
"Name": "proxy_traffic",
"Type": "struct"
},
{
"Name": "auth_type_id",
"Type": "int"
},
{
"Name": "proxy_http_response",
"Type": "struct"
},
{
"Name": "server_hassh",
"Type": "struct>"
},
{
"Name": "auth_type",
"Type": "string"
},
{
"Name": "firewall_rule",
"Type": "struct"
},
{
"Name": "proxy_connection_info",
"Type": "struct"
},
{
"Name": "connection_info",
"Type": "struct"
},
{
"Name": "api",
"Type": "struct,response:struct,operation:string>"
},
{
"Name": "attacks",
"Type": "array>,technique:struct>>"
},
{
"Name": "raw_data",
"Type": "string"
},
{
"Name": "email_uid",
"Type": "string"
},
{
"Name": "malware",
"Type": "array,cves:array,created_time:bigint,cvss:array>,overall_score:double,depth:string>>,modified_time_dt:string,created_time_dt:string,type:string>>,provider:string,classifications:array>>"
},
{
"Name": "start_time_dt",
"Type": "string"
},
{
"Name": "direction",
"Type": "string"
},
{
"Name": "smtp_hello",
"Type": "string"
},
{
"Name": "unmapped",
"Type": "string"
},
{
"Name": "direction_id",
"Type": "int"
},
{
"Name": "email_auth",
"Type": "struct"
},
{
"Name": "email",
"Type": "struct,data_classification:struct,delivered_to:string,message_uid:string,reply_to:string,smtp_from:string>"
},
{
"Name": "impact_id",
"Type": "int"
},
{
"Name": "resources",
"Type": "array>,version:string,data_classification:struct,data:string,labels:array,region:string>>"
},
{
"Name": "finding_info",
"Type": "struct>,technique:struct>>,analytic:struct,last_seen_time:bigint,first_seen_time_dt:string>"
},
{
"Name": "evidences",
"Type": "array,hashes:array>,security_descriptor:string,owner:struct>,type_id:int,account:struct,credential_uid:string,uid_alt:string>,desc:string,accessor:struct,email_addr:string>,creator:struct,type_id:int,full_name:string>,modified_time:bigint,modified_time_dt:string>,user:struct,group:struct,uid:string,loaded_modules:array,cmd_line:string,container:struct>,hash:struct>,created_time:bigint,namespace_pid:int,parent_process:struct,file:struct>,product:struct,vendor_name:string>,type_id:int,company_name:string,mime_type:string,parent_folder:string,data_classification:struct,hashes:array>,modified_time_dt:string,created_time_dt:string,owner:struct,groups:array>,type_id:int,credential_uid:string,email_addr:string,risk_level:string,risk_level_id:int>,accessed_time:bigint,confidentiality:string,confidentiality_id:int,xattributes:string>,user:struct,org:struct,risk_score:int>,group:struct,name:string,type:string,desc:string>,uid:string,container:struct,hash:struct,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct,credential_uid:string,domain:string,risk_level:string>,group:struct,uid:string,cmd_line:string,container:struct,hash:struct,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct,type_id:int,data_classification:struct,hashes:array>,owner:struct>,path:string,parent_folder:string,is_system:boolean,security_descriptor:string,accessed_time_dt:string>,user:struct,type:string,domain:string,uid:string,groups:array>,type_id:int,account:struct,credential_uid:string,risk_score:int>,uid:string,cmd_line:string,container:struct,hash:struct>,created_time:bigint,integrity:string,lineage:array,namespace_pid:int,parent_process:struct,hashes:array>,xattributes:string,created_time_dt:string,signature:struct>,created_time:bigint,serial_number:string,created_time_dt:string>,algorithm:string,algorithm_id:int>,accessor:struct,company_name:string,mime_type:string,accessed_time:bigint,modified_time_dt:string>,user:struct,deleted_time:bigint>,groups:array>,account:struct,risk_level:string,risk_score:int,uid_alt:string>,group:struct>,uid:string,cmd_line:string,container:struct>,hash:struct,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct>,security_descriptor:string,modified_time_dt:string>,user:struct,groups:array>,type_id:int,email_addr:string,ldap_person:struct,manager:struct,groups:array>>,type_id:int,full_name:string,risk_level:string,risk_level_id:int>,last_login_time_dt:string>,uid_alt:string>,group:struct>,uid:string,loaded_modules:array,cmd_line:string,container:struct,hash:struct,orchestrator:string>,created_time:bigint,integrity:string,namespace_pid:int,parent_process:struct,file:struct,type:string,path:string,desc:string,uid:string,type_id:int,mime_type:string,parent_folder:string,confidentiality:string,data_classification:struct,uid:string>>,hashes:array>,is_system:boolean>,user:struct,group:struct>,loaded_modules:array,cmd_line:string,created_time:bigint,namespace_pid:int,parent_process:struct,file:struct>,created_time:bigint,expiration_time:bigint,serial_number:string,expiration_time_dt:string>,algorithm:string,algorithm_id:int>,type_id:int,parent_folder:string,created_time:bigint,data_classification:struct,hashes:array>,created_time_dt:string>,user:struct,group:struct,uid:string,created_time:bigint,namespace_pid:int,auid:int,euid:int,egid:int>,terminated_time:bigint,xattributes:string,euid:int>>,auid:int,terminated_time_dt:string,created_time_dt:string,lineage:array>,egid:int,group:struct,tid:int,loaded_modules:array,sandbox:string,terminated_time:bigint,xattributes:string,euid:int>,terminated_time:bigint,xattributes:string,terminated_time_dt:string,created_time_dt:string,pid:int,session:struct,file:struct,product:struct,url_string:string,vendor_name:string>,type_id:int,mime_type:string,parent_folder:string,confidentiality:string,created_time:bigint,data_classification:struct,uid:string>>,hashes:array>,modified_time:bigint,accessed_time_dt:string,modified_time_dt:string>,loaded_modules:array,integrity:string,integrity_id:int,lineage:array,egid:int>,terminated_time:bigint,xattributes:string,pid:int,cmd_line:string,auid:int,created_time_dt:string>,xattributes:string,tid:int,integrity:string,euid:int>,file:struct,url_string:string,vendor_name:string>,type_id:int,creator:struct,credential_uid:string,uid_alt:string>,parent_folder:string,confidentiality:string,confidentiality_id:int,created_time:bigint,data_classification:struct,hashes:array>,security_descriptor:string,accessor:struct,risk_level:string,risk_level_id:int>,company_name:string,accessed_time_dt:string,created_time_dt:string>,query:struct,connection_info:struct,api:struct,uid:string>,response:struct,message:string,error_message:string>,operation:string,version:string>,actor:struct,parent_folder:string,confidentiality:string,data_classification:struct,hashes:array>,modified_time:bigint,xattributes:string,modified_time_dt:string,created_time_dt:string,version:string,desc:string,security_descriptor:string>,uid:string,cmd_line:string,container:struct,hash:struct,pod_uuid:string,runtime:string,network_driver:string>,created_time:bigint,namespace_pid:int,parent_process:struct,type:string,path:string,desc:string,modifier:struct,uid:string,type_id:int,parent_folder:string,confidentiality:string,confidentiality_id:int,data_classification:struct>,hashes:array>,created_time_dt:string,signature:struct>,created_time:bigint,expiration_time:bigint,serial_number:string>,algorithm:string,algorithm_id:int,created_time:bigint>,product:struct,cpe_name:string,data_classification:struct,vendor_name:string>,accessed_time_dt:string>,user:struct,type_id:int,account:struct,ldap_person:struct,job_title:string,office_location:string,hire_time_dt:string>,risk_score:int>,group:struct,cmd_line:string,container:struct,image:struct,network_driver:string>,created_time:bigint,integrity:string,integrity_id:int,namespace_pid:int,parent_process:struct,algorithm:string,algorithm_id:int>,product:struct,vendor_name:string>,uid:string,type_id:int,accessor:struct,parent_folder:string,data_classification:struct,hashes:array>,is_system:boolean,xattributes:string,accessed_time_dt:string,modified_time_dt:string>,user:struct,group:struct,uid:string,cmd_line:string,container:struct,image:struct,orchestrator:string>,created_time:bigint,namespace_pid:int,auid:int,terminated_time_dt:string,integrity:string,integrity_id:int,parent_process:struct,cost_center:string,deleted_time:bigint,email_addrs:array,ldap_dn:string,leave_time_dt:string>,risk_level:string,risk_score:int>,type:string,path:string,type_id:int,accessor:struct,mime_type:string,parent_folder:string,confidentiality:string,confidentiality_id:int,data_classification:struct,hashes:array>,security_descriptor:string,modified_time_dt:string,created_time_dt:string>,user:struct,loaded_modules:array,cmd_line:string,container:struct,hash:struct,network_driver:string>,created_time:bigint,namespace_pid:int,parent_process:struct,type_id:int>,risk_level:string,risk_level_id:int>,uid:string,loaded_modules:array,cmd_line:string,container:struct>,created_time:bigint,namespace_pid:int,parent_process:struct,file:struct,type_id:int,creator:struct,mime_type:string,parent_folder:string,accessed_time:bigint,hashes:array>,accessed_time_dt:string>,group:struct,tid:int,uid:string,cmd_line:string,created_time:bigint,namespace_pid:int,parent_process:struct,modifier:struct,uid_alt:string>,type_id:int,mime_type:string,parent_folder:string,accessed_time:bigint,confidentiality:string,confidentiality_id:int,data_classification:struct