Integration with Amazon s3

%3CLINGO-SUB%20id%3D%22lingo-sub-104224%22%20slang%3D%22en-US%22%3EIntegration%20with%20Amazon%20s3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104224%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENice%20to%20be%20here.%3C%2FP%3E%3CP%3EWe%20would%20like%20to%20monitor%20out%20amazon%20s3%20estate%20and%20since%20we%20have%20what%20is%20effectively%20a%20CASB%20in%20microsoft%20cloud%20app%20security%20the%20i%20was%20thinking%20of%20using%20the%20api%20to%20push%20logs%20from%20the%20amazon%20s3%20to%20CAP.%3C%2FP%3E%3CP%3ENow%20at%20cloud%20sec%20last%20week%20had%20a%20chat%20to%20a%20top%20amazon%20techie%20and%20he%20suggested%20using%20cloud%20trail%20and%20putting%20that%20into%20our%20SIEM%20would%20be%20a%20better%20solution%20%2C%20he%20suggested%20that%20the%20APIs%20to%20connect%20to%20CAP%20might%20not%20read%20all%20of%20the%20amazon%20data%20whereas%20cloud%20trail%20would%20see%20more.%3C%2FP%3E%3CP%3EPersonnally%20the%20CAP%20seems%20to%20just%20work%20unlike%20a%20SIEM%20which%20i%20think%20would%20take%20a%20lot%20of%20tuning.%3C%2FP%3E%3CP%3EHad%20anyone%20actually%20done%20this%20.....%20%26nbsp%3Bpushed%20amazon%20data%20via%20an%20api%20into%20the%20CAP%20..%20does%20it%20work%20ok%20and%20what%20do%20you%20think%20of%20it%20.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-104224%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-104253%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Integration%20with%20Amazon%20s3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104253%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20JSON%20in%20the%20doc%20is%20specific%20to%20the%20events%20that%20CAS%20knows%20and%20can%20process%20and%20parse%2C%20if%20you%20provide%20events%20that%20are%20unfamiliar%20they%20will%20not%20be%20processed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-104252%22%20slang%3D%22en-US%22%3ERE%3A%20Integration%20with%20Amazon%20s3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104252%22%20slang%3D%22en-US%22%3ELooking%20at%20the%20doc%20you%20gave%20me%20it%20looks%20like%20this%20is%20a%20json%20config%20to%20allow%20cloud%20trail%20so%20if%20i%20put%20cloudtrail%20into%20the%20CAS%20then%20there%20isnt%20a%20lot%20of%20point%20putting%20it%20into%20to%20the%20SIEM%20%2C%20i%20am%20quite%20new%20to%20this%20so%20feel%20free%20to%20correct%20me%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-104250%22%20slang%3D%22en-US%22%3ERE%3A%20Integration%20with%20Amazon%20s3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104250%22%20slang%3D%22en-US%22%3EThanks%20Dima%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-104248%22%20slang%3D%22en-US%22%3ERe%3A%20Integration%20with%20Amazon%20s3%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-104248%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Steve%2C%3C%2FP%3E%0A%3CP%3EIn%20answering%20I'll%20assume%20that%20by%20CAP%20you%20mean%20Cloud%20App%20Security%20(CAS)%2C%20which%20is%20the%20Microsoft%20CASB%20product.%3C%2FP%3E%0A%3CP%3ECAS%20is%20not%20meant%20to%20act%20as%20a%20SIEM%20server%20and%20consume%20various%20logs%20from%20services.%20It%20has%20a%20list%20of%20services%20that%20are%20supported%2C%20once%20of%20which%20is%20AWS.%3C%2FP%3E%0A%3CP%3EThe%20current%20AWS%20support%20does%20not%20include%20S3%20monitoring%2C%20but%20it%20is%20something%20is%20that%20planned%20for%20the%20future.%3C%2FP%3E%0A%3CP%3EIn%20the%20meantime%20you%20can%20read%20mroe%20info%20about%20the%20CAS%20integration%20with%20AWS%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fconnect-aws-to-microsoft-cloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fconnect-aws-to-microsoft-cloud-app-security%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3EDima.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi All

 

Nice to be here.

We would like to monitor out amazon s3 estate and since we have what is effectively a CASB in microsoft cloud app security the i was thinking of using the api to push logs from the amazon s3 to CAP.

Now at cloud sec last week had a chat to a top amazon techie and he suggested using cloud trail and putting that into our SIEM would be a better solution , he suggested that the APIs to connect to CAP might not read all of the amazon data whereas cloud trail would see more.

Personnally the CAP seems to just work unlike a SIEM which i think would take a lot of tuning.

Had anyone actually done this .....  pushed amazon data via an api into the CAP .. does it work ok and what do you think of it . 

4 Replies
Highlighted

Hello Steve,

In answering I'll assume that by CAP you mean Cloud App Security (CAS), which is the Microsoft CASB product.

CAS is not meant to act as a SIEM server and consume various logs from services. It has a list of services that are supported, once of which is AWS.

The current AWS support does not include S3 monitoring, but it is something is that planned for the future.

In the meantime you can read mroe info about the CAS integration with AWS here: https://docs.microsoft.com/en-us/cloud-app-security/connect-aws-to-microsoft-cloud-app-security

 

Regards,

Dima.

Highlighted
Thanks Dima
Highlighted
Looking at the doc you gave me it looks like this is a json config to allow cloud trail so if i put cloudtrail into the CAS then there isnt a lot of point putting it into to the SIEM , i am quite new to this so feel free to correct me
Highlighted

The JSON in the doc is specific to the events that CAS knows and can process and parse, if you provide events that are unfamiliar they will not be processed.