Integrating Cato Events with AWS S3

Overview of the Amazon S3 Events Integration

Organizations that store and manage event data in an AWS S3 bucket can configure their Cato account to automatically and continuously upload events to it.

This integration continuously pushes events directly from the Cato Cloud to the S3 bucket, unlike the eventsFeed API, which requires pulling data from Cato and can be affected by rate limiting.

The Cato Cloud uploads data to the S3 bucket every 60 seconds, or whenever more than 9.5 MB of uncompressed data is accumulated. Data is transferred securely over HTTPS.

Events are uploaded in a compressed .GZ format. Some clients, such as certain browsers, may automatically decompress these files without removing the .GZ extension. If this occurs, changing the file extension to LOG or TXT will correctly align the file's format with its extension.

Events Integration Use Case

Sample Company uses the IPS Suspicious Activity Monitoring feature, which generates a high volume of security events. They decide to create an AWS S3 bucket to store all the event data, which they can then integrate with their SIEM solution. Sample Company enables Events Integration and adds the S3 bucket as an integration to their Cato account so that all IPS events are automatically uploaded to the S3 bucket.

Prerequisites

Review the prerequisites for all Cato event integrations in Getting Started with Event Integrations

Configuring the AWS S3 Bucket

Create an S3 bucket and define an IAM policy that allows Cato to upload event data to it. Then, create an IAM role with Cato’s role ARN and attach the policy to the role.

The Cato Cloud uploads data to the S3 bucket every 60 seconds, or when more than 9.5 MB of uncompressed data is accumulated. Depending on different factors, data can sometimes be uploaded before it reaches 9.5 MB.

Cato uses HTTPS to upload data to the S3 bucket.

Note

Notes:

Only regions for S3 buckets where Security Token Service (STS) is active are supported. For more information about enabling STS for a region, see the relevant AWS documentation.
The China S3 region is not supported.

To configure an S3 bucket in AWS to receive Cato event data:

Create a new S3 bucket with the appropriate AWS Region.
Create a new IAM policy for the S3 bucket that allows uploading data to the bucket.

In the policy, click the JSON tab, and copy the Cato JSON below.

Edit the JSON and add the name for the S3 bucket, and then paste it in the tab.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket name>"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket name>/*"
            ]
        }
    ]
}

Review the settings for the policy and click Create policy.
Create a new IAM role with Cato's ARN to allow Cato to upload events for your account to the S3 bucket.
1. In the Select trusted entity page, add Cato's ARN to the role: arn:aws:iam::428465470022:role/cato-events-integration
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::428465470022:role/cato-events-integration"
            },
            "Condition": {"StringEquals": {"sts:ExternalId": "<CMA Account ID>"}},
            "Action": "sts:AssumeRole"
        }
    ]
}
```
  Click Next.
2. In the Add permissions page, attach the policy that you created earlier to the role.
  
  Click Next.
3. Enter the Role name and click Create role.
The AWS S3 bucket is ready to integrate with your Cato account.

Adding an Event Integration for Amazon S3

Create a new integration for the AWS S3 bucket in the Events Integration tab, and add the Role ARN to the integration. This ARN gives Cato permission to upload the event data to the S3 bucket.

After you define and enable the AWS S3 integration, it takes a few minutes for Cato to start uploading events to the S3 bucket.

You can filter the events that are uploaded to the S3 bucket by event type or subtype. For example, you can upload only IPS events for your account. By default, no filter is applied, and all events are uploaded to the S3 bucket.

To add an AWS S3 bucket integration to upload events for your account:

From the navigation menu, select Resources > Event Integrations.
Select Enable integration with Cato events.
Click New. The New Integration panel opens.
Configure the settings for the S3 bucket integration:
1. Enter the Name for the integration.
2. Enter these Connection Details for the integration based on the settings in AWS:
  - Bucket Name - Exact name of the S3 bucket
  - Folder - Folder path within the S3 bucket, if necessary
  - Region - Region where the S3 bucket is hosted
    
    Note: Only regions for S3 buckets where the Security Token Service (STS) is active are supported.
  - Role ARN - Copy and paste the ARN for the role for the S3 bucket
3. (Optional) Define the filter settings for events that are uploaded to the S3 bucket.
  
  When you define multiple filters, there is an AND relationship, and the events that match all filters are uploaded.
Click Apply. The AWS S3 bucket is now integrated with your account.

Note: You can define up to three Event Integrations for your account.

7 comments

Sai Woon Si
- July 17, 2024 00:33
i have followed the specified procedure, but it is still not working. I am unsure about allowing Cato IP address. Where should I configure it?
Yaakov Simon
- July 25, 2024 05:34
Sai Woon Si Thanks for your question. If there is an existing IAM Role that limits access based on the Source IP address, then you need to edit that Role and add the Cato IP address to it.
This AWS article explains how to deny access based on the Source IP.
Naoki Kimura
- August 09, 2024 00:38
I have followed the steps as described, but no object is being created in the AWS S3 bucket. Are the following S3 settings unnecessary to configure?
- Block Public Access (Default: ON)
- Bucket Policy
- ACL
- Object Ownership
- Access Point
I appreciate your assistance.
Yaakov Simon
- August 13, 2024 13:28
Naoki Kimura Make sure that the ACL includes the Cato IP addresses in this article.
Otherwise, I suggest you create a topic in the Cato Community and see if there is a customer who is more familiar with the situation.
Yaakov Simon
- August 29, 2024 13:24
Naoki Kimura - I see that we updated the Cato IP addresses in the article linked above, this may help resolve the issue.
Sorry for the inconvenience.
Naoki Kimura
- August 30, 2024 00:48
Hi, Simon.

Thank you for sharing the information. Although we couldn't pinpoint the exact cause, we are now able to output logs to AWS S3 without registering allowed IPs in the ACL. The only notable change we made was shortening the bucket name.
Thank you very much.
Luis Fuentes
- October 03, 2024 18:42
This works, but Cato sends logs in a zipped format (.gz). This is not helpful when integrating it into any SIEM. How can we get the Cato logs to be sent to S3 in it's original format (.log) so our SIEMs can parse it as unstructured data?