Overview
The Event Data Export integration enables you to configure external tools—such as Snowflake, Sumo Logic, and others—to ingest Incydr event data from AWS S3. Data available for export and ingest includes:
- File events and all associated metadata
- Audit log activity
- Alerts
This integration simplifies the process of exporting Incydr event data to SIEMs that support ingesting log data from AWS S3 because:
- Configuration is completed via the Incydr console and does not require custom scripts or API integrations.
- It offers a more scalable and reliable solution for streaming data than the
/v2/file-eventsAPI.
Considerations
- Configuring event data export settings in the Incydr console requires a user with the Customer Cloud Admin role.
- To export all file events, you must have a product plan with full API access. (Audit log and alert exports do not require full API access.)
- The Event Data Export integration is not available in the Incydr Federal (FedRAMP) environment.
Step 1: Define export settings in the Incydr console
These steps apply to the initial data export configuration. To add a new AWS destination account to an existing configuration, see Add an account below.
- Sign in to the Incydr console.
- Go to Administration > Integrations > Event Data Export.
- Click Get started.
The Create data export form appears. - Enter your AWS Account ID or IAM User ARN.
- Refer to your external tool's support documentation to locate your AWS account ID.
- Alternatively, if your tool supplies an IAM User ARN, you can enter that here instead of the account ID.
- Specify your IAM role external ID. An external ID is a unique identifier that prevents unauthorized access to your data.
- If you're unsure which option applies to you, select Create an external ID for me.
- If the tool you're exporting to provides its own external ID, select Enter my own external ID.
An external ID is required to complete the export configuration in the Incydr console. If you are integrating with a third-party solution that does not support external ID, contact your Customer Success Manager (CSM) or Incydr Support to review alternative options.
- Select the event types to export:
- Alerts: Exports alert data and all file events associated with the alerts.
- Audit log: Exports Audit log data, which provides a record of user and system changes to Incydr settings and configurations.
-
File events: Exports all metadata for events. Choose to export:
- All file events: Exports all file events, including activity where no risk is identified.
-
Only events with PRISM scores greater than 0: Exports only events where at least one risk indicator with a score greater than 0 applies to the event.
- Optionally, choose to also include events with preventative controls applied.
- Click Configure.
Incydr creates and configures AWS resources for you to supply to your SIEM or other external tools. See below for more details.
Output and schema details
- Data is exported as a GZIP (.gz) file in line-terminated JSON format.
- To view the detailed schema of exported fields, see Event Data Export in the Incydr Developer Portal.
Step 2: Obtain the AWS resource configuration for your external tool
Use the values in the AWS Resource Configuration section to set up your integration to pull events from the Incydr-managed AWS S3 location. Use the Services and Accounts sections to specify what data to export and to manage where it is sent.
| Item | Description | |
|---|---|---|
| a | SNS topic ARN |
The Amazon Resource Name (ARN) of the SNS topic where S3 object create events for your Incydr event data are sent. Subscribing to both SQS and HTTPS endpoints are supported. The SNS topic sends notifications when new data is available. It does not contain the actual data. To access the new data, use the IAM role ARN to access the S3 location referenced in the SNS notification. |
| b | IAM role ARN |
The IAM role ARN grants secure access to the AWS S3 bucket.
|
| c | IAM role external ID | The IAM role external ID provides secure access to external integrations. Use this ID when assuming the IAM role. |
| d | S3 bucket name | The name of the S3 bucket containing your data. |
| e | S3 bucket path | The top-level path of your data in the S3 bucket. |
| f | Subscribe | Click to subscribe to this topic to receive notifications when new data is available. Subscribing also enables real-time alerts and updates. |
| g | Copy to clipboard | Click to copy the value for any field to your clipboard. |
| h | Services |
Indicates the event types you selected to export. Options include:
Click the Edit icon If you have more than one AWS destination account, the selected services apply to all accounts. |
| i | Delete export | Click to delete the export configuration. Deleting the configuration stops exporting Incydr data and removes your permissions to ingest it in all configured external AWS accounts. |
| j | Accounts |
Details about each account, including:
Click edit to update the display name. Click delete to remove this account. |
| k | Add | Click to add another AWS account export destination. You can add up to 5 accounts. |
Add an account
To add another AWS account destination to an existing configuration:
- Sign in to the Incydr console.
- Go to Administration > Integrations > Event Data Export.
- In the Accounts section, click Add.
- Enter a display name for this account (optional).
- Enter your AWS Account ID or IAM User ARN.
- Refer to your external tool's support documentation to locate your AWS account ID.
- Alternatively, if your tool supplies an IAM User ARN, you can enter that here instead of the account ID.
- Specify your IAM role external ID. An external ID is a unique identifier that prevents unauthorized access to your data.
- If you're unsure which option applies to you, select Create an external ID for me.
- If the tool you're exporting to provides its own external ID, select Enter my own external ID.
An external ID is required to complete the export configuration in the Incydr console. If you are integrating with a third-party solution that does not support external ID, contact your Customer Success Manager (CSM) or Incydr Support to review alternative options.
- Click Add.
Remove an account
To remove an AWS account destination from an existing configuration:
- Sign in to the Incydr console.
- Go to Administration > Integrations > Event Data Export.
- Next to the account you want to remove, click the delete icon
.
If you only have one account and want to stop all export activity, see Delete an existing configuration below.
Edit an existing configuration
To edit an existing configuration:
- Sign in to the Incydr console.
- Go to Administration > Integrations > Event Data Export.
- To edit the exported event types, click the edit icon
next to Services.
- Edit the event types included in the export. Changes apply to all configured accounts.
- Click Save.
Delete an existing configuration
To delete an existing configuration:
- Sign in to the Incydr console.
- Go to Administration > Integrations > Event Data Export.
- Click Delete export.
- Click Delete to confirm you want to delete this configuration.
Deleting the configuration stops exporting Incydr data and removes your permissions to ingest it in your external AWS account.
External resources
- AWS: Identify AWS resources with Amazon Resource Names (ARNs)
- Snowflake: Configure a Snowflake storage integration to access Amazon S3
- Sumo Logic: Amazon S3 Source
Comments
Please sign in to leave a comment.