Integrating Cato Events with AWS S3

This article explains how to integrate an Amazon Web Service (AWS) S3 bucket with your Cato account to upload events directly to an S3 bucket.

Overview of Events Integration

For customers that review and analyze event data in an AWS S3 bucket, you can configure your Cato account to automatically and continuously upload events to the bucket. This is different then the eventsFeed API, which requires customers to pull the data from Cato and is impacted by issues such as rate-limiting.

Note

Note: You can define up to three Event Integrations for your account.

For more about the fields for the events, see Event Integration Event Fields.

Events Integration Use Case

Sample company is using the IPS Suspicious Activity Monitoring feature which generates a lot of security events. They decide to create an AWS S3 bucket to store all the event data, which they can then integrate with their SIEM solution. Sample company enables Events Integration and adds the S3 bucket as an integration to their Cato account so that all the IPS events area automatically uploaded to the S3 bucket.

Configuring the AWS S3 Bucket

Create a new S3 bucket and define the policy that allows it to receive data. Then define the IAM role for the S3 bucket with Cato's role ARN to set the bucket permissions to allow Cato to upload data to the bucket.

The Cato Cloud uploads data to the S3 bucket as follows, every 60 seconds, or when there is more than 10MB of data. Cato uses HTTPS to upload data to the S3 bucket.

Note

Note: Only regions for S3 buckets where Security Token Service (STS) is active are supported.

For more information about enabling STS for a region, see relevant the AWS documentation.

To configure an S3 bucket in AWS to receive Cato event data:

  1. Create a new S3 bucket with the appropriate AWS Region.

    1-create_bucket.png

  2. Create a new IAM policy for the S3 bucket that allows uploading data to the bucket.

  3. In the policy, click the the JSON tab, and copy the Cato JSON below.

    Edit the JSON and add the name for the S3 bucket, and then paste it in the tab.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket name>"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket name>/*"
            ]
        }
    ]
}
    2-create_policy.png

  4. Review the settings for the policy and click Create policy.

    3-name_policy.png

  5. Create a new IAM role with Cato's ARN, to allow Cato to upload events for your account to the S3 bucket.

    1. In the Select trusted entity screen, add Cato's ARN to the role: arn:aws:iam::428465470022:role/cato-events-integration

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::428465470022:role/cato-events-integration" }, "Action": "sts:AssumeRole" } ] }
      4-create_role.png

      Click Next.

    2. In the Add permissions screen, attach the policy that you created in step 4 to the role.

      image__7_.png

      Click Next.

    3. Enter the Role name and click Create role.

      6-name_role.png

    The AWS S3 bucket is ready to integrate with your Cato account.

Adding Amazon S3 Integration for Events

Create a new integration for the AWS S3 bucket in the Events Integration tab, and add the Role ARN to the integration. This ARN gives Cato permission to upload the event data to the S3 bucket. After you define and enable the AWS S3 integration, it takes a few minutes for Cato to start uploading events to the S3 bucket.

You can choose to filter the events that are uploaded to S3 bucket. For example, only upload IPS events for your account to the S3 bucket. The default setting is no filter and all events are uploaded to the S3 bucket.

EventIntegration.png

To add an AWS S3 bucket integration to upload events for your account:

  1. From the navigation menu, select Administration > API & Integrations and select the Events Integration tab.

  2. Select Enable integration with Cato events.

  3. Click New. The New Integration panel opens.

  4. Configure the settings for the S3 bucket integration:

    1. Enter the Name for the integration.

    2. Enter these Connection Details for the integration based on the settings in AWS:

      • Bucket Name - Identical name of the S3 bucket

      • Folder - Identical name for the folder path within the S3 bucket (if necessary)

      • Region - Identical region for the S3 bucket

        Note: Only regions for S3 buckets where Security Token Service (STS) is active are supported.

      • Role ARN - Copy and paste the ARN for the role for the S3 bucket

        copyAWS_ARN.png

    3. (Optional) Define the filter settings for events that are uploaded to the S3 bucket.

      When you define multiple filters, there is an AND relationship, and the events that match all filters are uploaded.

  5. Click Apply. The AWS S3 bucket is now integrated with your account.

Was this article helpful?

0 comments

Add your comment