Lacework FortiCNAPP can integrate with Amazon Security Lake, an S3 data data lake that is based on the OCSF standard. Lacework FortiCNAPP integrates as a data source and provides our real-time security findings. These security findings include software and infrastructure-as-code (IaC) vulnerabilities, cloud resource security misconfigurations, and known and unknown security threat behaviors.
You must have a data lake configured in Amazon Security Lake to use this integration. The integration does not provision the data lake, and the event Lambda will fail when attempting to send Lacework FortiCNAPP events to the custom S3 data source. Please follow the steps described in the following AWS guide to get started:
Lacework FortiCNAPP security findings are sent to Amazon EventBridge and delivered to Amazon SQS queue. A Lambda function receives these security findings from the queue and then transforms them into OCSF format for delivery to the Amazon Security Lake S3 bucket as Parquet formatted files. The Amazon Security Lake Service ingests these files and the Lacework FortiCNAPP security findings.
This integration uses Amazon S3, Lambda, EventBridge, SQS and Cloudwatch AWS Services. You will incur costs due to the use of the services. Costs will vary depending on the size of the environment and the number of security findings found in the environment.
CloudFormation is used to set up the Lacework integration with Security Lake. The CloudFormation template creates the EventBridge rules, IAM permissions, SNS topic, SQS queue, Lambda event transformation function and the Lacework FortiCNAPP outbound security alert channel.
- Subscription to Lacework FortiCNAPP. Acquire through AWS Marketplace listing.
- Administrator access to a Lacework FortiCNAPP instance
- FortiCNAPP Admin API Key and Secret
Do the following:
- Open the Security Lake console at https://console.aws.amazon.com/securitylake/.
- Select the region where you want to create the custom source, in the upper-right corner of the page.
- Choose Custom sources in the navigation pane, and then choose Create custom source.
- In the Custom source details section, enter "lacework" for your custom source name. Then, select the Security Finding OCSF event class.
- Enter the AWS account ID from which the Lacework FortiCNAPP Amazon Security Lake Alert Channel will be deployed. This account will write logs and events to the data lake.
- For the AWS account with permissions to write logs and events to the data lake using the Lacework FortiCNAPP Amazon Security Lake Alert Channel, enter the AWS account ID and External ID. The External ID is a random alphanumeric identifier that is used to prevent unauthorized access to your AWS resources.
- For Service Access, create a new IAM role or use an existing IAM role that gives Security Lake permission to invoke the AWS Glue crawler.
- Choose Create.
- After the custom source is created, take note of the Amazon Security Lake S3 location.
-
Click on the following Launch Stack button to go to your CloudFormation console and launch the template.
For most deployments, you only need the Basic Configuration parameters.
-
Specify the following Basic Configuration parameters:
- Enter a Stack name for the stack.
- Enter the Security Lake S3 Bucket Name.
- Enter the Security Lake Role ARN.
- Enter the Security Lake Role External ID.
- Enter Your Lacework URL.
- If your Lacework instance has the Organization feature enabled, enter the Lacework Sub-Account Name. Otherwise, leave this field blank.
- Enter your Lacework Access Key ID and Lacework Secret Key that you copied from your API Keys file. See here.
-
Click Next through to your stack Review.
-
Accept the AWS CloudFormation terms and click Create stack.
-
Upon successful stack deployment, ensure the Lambda Event Function role ARN is added to the Amazon Security Lake role trust policy. If it has not been automatically added, use the following procedure to configure it:
a. In the AWS console, navigate to Lambda and click the Lambda function with the name stack-name- LaceworkAmazonSecurityLakeEventFunction-xxxx. Copy the ARN.
b. In IAM > Roles, click the role that was created for your security lake configuration. Click Trust relationships > Edit trust policy.
c. Add the event function ARN in the following format:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root",
"arn:aws:iam::444455556666:role/lw-seclake-LaceworkAmazonSecurityLakeEventFunctionR-aBcDeFg"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<external id>"
}
}
}
]
}
Troubleshooting this integration can be done by monitoring the CloudWatch logs for two Lambda functions. One Lambda function is responsible for some of the initial setup during the CloudFormation deployment. The second Lambda function transforms Lacework security alerts to the OCSF security findings for Security Lake.
Some initial set up during the CloudFormation deployment is handled by a Lambda function stack-name-LaceworkAmazonSecurityLakeSetupFunction-xxxx. Specifically, it configures the Alert Channel and Alert Rules that are required to send Lacework Security Alerts to the second Lambda function for transformation into OCSF and Amazon Security Lake. To investigate any issues, use the following steps:
- Go to Lambda in your AWS management console.
- Find the Lambda function with the name stack-name-LaceworkAmazonSecurityLakeSetupFunction-xxxx.
- Click the Monitor tab.
- Click the button View logs in CloudWatch to launch CloudWatch into a new tab.
- View the Log stream debug for errors.
If there are issues with Lacework FortiCNAPP Security Alerts being transformed to OCSF and Amazon Security Lake, investigate the Lambda function stack-name-LaceworkAmazonSecurityLakeEventFunction-xxxx. It transforms Lacework Security alerts into OCSF Security Findings format and delivers these in Parquet file format to the Security Lake S3 bucket. To investigate any issues, use the following steps:
- Go to Lambda in your AWS management console.
- Find the Lambda function with the name stack-name-LaceworkAmazonSecurityLakeEventFunction-xxxx.
- Click the Monitor tab.
- Click the button View logs in CloudWatch to launch CloudWatch into a new tab.
- View the Log stream debug for errors.
Updates to the integration are provided through CloudFormation template updates. This may upgrade architecture and the Lambda functions.