CreateCustomLogSource - Amazon Security Lake

CreateCustomLogSource

Adds a third-party custom source in Amazon Security Lake, from the AWS Region where you want to create a custom source. Security Lake can collect logs and events from third-party custom sources. After creating the appropriate IAM role to invoke AWS Glue crawler, use this API to add a custom source name in Security Lake. This operation creates a partition in the Amazon S3 bucket for Security Lake as the target location for log files from the custom source. In addition, this operation also creates an associated AWS Glue table and an AWS Glue crawler.

Request Syntax

POST /v1/datalake/logsources/custom HTTP/1.1 Content-type: application/json { "configuration": { "crawlerConfiguration": { "roleArn": "string" }, "providerIdentity": { "externalId": "string", "principal": "string" } }, "eventClasses": [ "string" ], "sourceName": "string", "sourceVersion": "string" }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

configuration

The configuration used for the third-party custom source.

Type: CustomLogSourceConfiguration object

Required: Yes

eventClasses

The Open Cybersecurity Schema Framework (OCSF) event classes which describes the type of data that the custom source will send to Security Lake. The supported event classes are:

  • ACCESS_ACTIVITY

  • FILE_ACTIVITY

  • KERNEL_ACTIVITY

  • KERNEL_EXTENSION

  • MEMORY_ACTIVITY

  • MODULE_ACTIVITY

  • PROCESS_ACTIVITY

  • REGISTRY_KEY_ACTIVITY

  • REGISTRY_VALUE_ACTIVITY

  • RESOURCE_ACTIVITY

  • SCHEDULED_JOB_ACTIVITY

  • SECURITY_FINDING

  • ACCOUNT_CHANGE

  • AUTHENTICATION

  • AUTHORIZATION

  • ENTITY_MANAGEMENT_AUDIT

  • DHCP_ACTIVITY

  • NETWORK_ACTIVITY

  • DNS_ACTIVITY

  • FTP_ACTIVITY

  • HTTP_ACTIVITY

  • RDP_ACTIVITY

  • SMB_ACTIVITY

  • SSH_ACTIVITY

  • CONFIG_STATE

  • INVENTORY_INFO

  • EMAIL_ACTIVITY

  • API_ACTIVITY

  • CLOUD_API

Type: Array of strings

Pattern: ^[A-Z\_0-9]*$

Required: No

sourceName

Specify the name for a third-party custom source. This must be a Regionally unique value. The sourceName you enter here, is used in the LogProviderRole name which follows the convention AmazonSecurityLake-Provider-{name of the custom source}-{region}. You must use a CustomLogSource name that is shorter than or equal to 20 characters. This ensures that the LogProviderRole name is below the 64 character limit.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 64.

Pattern: ^[\w\-\_\:\.]*$

Required: Yes

sourceVersion

Specify the source version for the third-party custom source, to limit log collection to a specific version of custom data source.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 32.

Pattern: ^[A-Za-z0-9\-\.\_]*$

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "source": { "attributes": { "crawlerArn": "string", "databaseArn": "string", "tableArn": "string" }, "provider": { "location": "string", "roleArn": "string" }, "sourceName": "string", "sourceVersion": "string" } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

source

The third-party custom source that was created.

Type: CustomLogSourceResource object

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

You do not have sufficient access to perform this action. Access denied errors appear when Amazon Security Lake explicitly or implicitly denies an authorization request. An explicit denial occurs when a policy contains a Deny statement for the specific AWS action. An implicit denial occurs when there is no applicable Deny statement and also no applicable Allow statement.

HTTP Status Code: 403

BadRequestException

The request is malformed or contains an error such as an invalid parameter value or a missing required parameter.

HTTP Status Code: 400

ConflictException

Occurs when a conflict with a previous successful write is detected. This generally occurs when the previous write did not have time to propagate to the host serving the current request. A retry (with appropriate backoff logic) is the recommended response to this exception.

HTTP Status Code: 409

InternalServerException

Internal service exceptions are sometimes caused by transient issues. Before you start troubleshooting, perform the operation again.

HTTP Status Code: 500

ResourceNotFoundException

The resource could not be found.

HTTP Status Code: 404

ThrottlingException

The limit on the number of requests per second was exceeded.

HTTP Status Code: 429

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: