Articles in this section

See more

Adding Custom Connector to SkyFormation Platform

Avatar
Nadav Lavy (Greenberg)
  • Updated
Follow

If you're having trouble at any stage please contact us at support@skyformation.com

Preface

The goal of this guide is to add SkyFormation Custom Connector to your SkyFormation Platform to be able to ingest audit events from customized data sources, and be able to transform them into meaningful detection-ready events. For more information see the SkyFormation Customer Connector Overview guide  

Prerequisites

Mandatory

   (0) Allow SkyFormation IAM user access to the custom data source URL you intend to use

   (1) Grant the SkyFormation application machine or user permission to read and list information
         from the data source.

   (2) Enable event notification to SQS queue in the S3 bucket you would like to get logs from.
        https://docs.aws.amazon.com/AmazonS3/latest/user-guide/enable-event-notifications.html

        Choose ObjectCreate (all) events to be notified as in the below example.

        

   (2.1) Allow the S3 Bucket to send events to the SQS Queue:

Replace the access policy attached to the queue with the following policy (in the SQS console, you select the queue, and in the Permissions tab, click Edit Policy Document (Advanced)

{
 "Version": "2012-10-17",
 "Id": "example-ID",
 "Statement": [
  {
   "Sid": "example-statement-ID",
   "Effect": "Allow",
   "Principal": {
    "AWS":"*"  
   },
   "Action": [
    "SQS:SendMessage"
   ],
   "Resource": "SQS-queue-ARN", 
 "Condition": { 
 "ArnLike": { 
 "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" 
 } 
 } 
 } 
 ] 
}

   (3) The SQS and S3 bucket attributes needed to add a SkyFormation Custom Connector are:

        - SQS URL
           Log into your AWS account, go to the SQS service and focus on the SQS Queue used
           for the S3 events notifications. In the Details tab copy the URL value (see example below):

        - SQS Region
           In the same page as above (SQS detail tab) you will see the SQS region. It is the string
          between the sqs and amazonaws strings in the URL.

          At the example above the region is: us-east-1

        - S3 Bucket Region 
          Log into your AWS account, go to the S3 service and focus on the S3 bucket with the logs
          you would like the SkyFormation custom connector to retrieve. 
          In the URL address at your browser you will see the bucket region at the URL parameter
          named region. (In the example below the region is us-east-1).

   (4) Have (or create) a AWS IAM user that will be used by the SkyFormation Custom
        Connector to integrate with the AWS APIs and ingest the audit events. 
        - If you need to create a new IAM user see Creating an IAM User in Your AWS Account

   (5) Get the following IAM user's attributes 
         (See How to get an IAM user's Access Key ID and Access Key Key)

        - Secret Access Key (e.g. see in the diagram an example)
        - Access Key ID (e.g. see in the diagram an example)

       

          Note: The Access Key ID and Secret Access Key in the diagram are not valid keys.  

   (5) The AWS IAM user mentioned above should have the following AWS permissions

        - AmazonSQSFullAccess 

        - AmazonS3ReadOnlyAccess 

 

Recommended

   (1) Use a dedicated user for the SkyFormation Custom Connector

 

Steps

1. Logon to your SkyFormation Platform:

2. Navigate via left navigation panel to "Settings" section

3. Navigate via New Settings left navigation panel to "Accounts" section

4. Click the "Add Account" bottom

5. At the "SELECT SERVICE TO ADD" choose "Custom Connector" 

You will see the below screen:

custom_app_connector_settings.png

5. Fill in the following information:

   - Tenant (relevant only for the multi-tenant SkyFormation edition)
       Choose the tenant the new connector will be attached to.     

  - Account Name
       Give the custom connector a meaningful name for you. This will become your application
      connector name displayed in the SkyFormation platform and added to entire events sent to your
      SIEM/Log/Splunk system from this connector as identifier. 

      Example: 
      "Sales custom pricing app"     

    - Description
      Add any text that describe the specific application and meaning for the business.

      Example:
      "Corp sales application to define and optimize sales pricing"

    - Access-Key

      Put the IAM user's Access Key ID 

      Example:
      AKIAJC2SG3G6ZSFYAPTA

    - Secret (secret-key)

      Put the IAM user's Secret Access Key 

      Example:
      XsyQVAut7wPYFpcWwSTtLgZ5SgT3PQJF8+1LTtr 

   - S3-Region

      Put the S3 bucket region name, from the S3 bucket used for the central cloud trail we use

      Example:
      us-west-2

   - Sqs-Region

      The SQS region

      Example:
      us-west-2

   - Sqs-Url 

      The URL of the SQS in use for the central audit.

      Example (not a valid value to use)
      https://sqs.us-west-2.amazonaws.com/498892222236/new-trail-s3-file-from-snsS3

   - Processor 

      Choose the processor from the drop-down list, that will determine the way the events ingested
      will be parsed.

      skyformation_custom_connector_proccesors.png

     For better understanding of the way the processors works please refer to:
     SkyFormation Customer Connector Overview      

- Click "SAVE" bottom

 

Make sure the "STATUS" of the new AWS MT connector in the table is OK and green.

 

Your are done !

 

Related articles

Comments

0 comments

Please sign in to leave a comment.