CreateCustomLogSource

Adds a third-party custom source in Amazon Security Lake, from the AWS Region where you want to create a custom source. Security Lake can collect logs and events from third-party custom sources. After creating the appropriate IAM role to invoke AWS Glue crawler, use this API to add a custom source name in Security Lake. This operation creates a partition in the Amazon S3 bucket for Security Lake as the target location for log files from the custom source in addition to an associated AWS Glue table and an AWS Glue crawler.

Request Syntax

POST /v1/logsources/custom HTTP/1.1
Content-type: application/json

{
   "customSourceName": "string",
   "eventClass": "string",
   "glueInvocationRoleArn": "string",
   "logProviderAccountId": "string"
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

customSourceName

The name for a third-party custom source. This must be a Regionally unique value.

Type: String

Pattern: ^[\\\w\-_:/.]*$

Required: Yes

eventClass

The Open Cybersecurity Schema Framework (OCSF) event class which describes the type of data that the custom source will send to Security Lake.

Type: String

Valid Values: ACCESS_ACTIVITY | FILE_ACTIVITY | KERNEL_ACTIVITY | KERNEL_EXTENSION | MEMORY_ACTIVITY | MODULE_ACTIVITY | PROCESS_ACTIVITY | REGISTRY_KEY_ACTIVITY | REGISTRY_VALUE_ACTIVITY | RESOURCE_ACTIVITY | SCHEDULED_JOB_ACTIVITY | SECURITY_FINDING | ACCOUNT_CHANGE | AUTHENTICATION | AUTHORIZATION | ENTITY_MANAGEMENT_AUDIT | DHCP_ACTIVITY | NETWORK_ACTIVITY | DNS_ACTIVITY | FTP_ACTIVITY | HTTP_ACTIVITY | RDP_ACTIVITY | SMB_ACTIVITY | SSH_ACTIVITY | CLOUD_API | CONTAINER_LIFECYCLE | DATABASE_LIFECYCLE | CONFIG_STATE | CLOUD_STORAGE | INVENTORY_INFO | RFB_ACTIVITY | SMTP_ACTIVITY | VIRTUAL_MACHINE_ACTIVITY

Required: Yes

glueInvocationRoleArn

The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to be used by the AWS Glue crawler. The recommended IAM policies are:

• The managed policy AWSGlueServiceRole

• A custom policy granting access to your Amazon S3 Data Lake

Type: String

Pattern: ^arn:.*

Required: Yes

logProviderAccountId

The AWS account ID of the custom source that will write logs and events into the Amazon S3 Data Lake.

Type: String

Length Constraints: Fixed length of 12.

Pattern: ^\d+$

Required: Yes

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "customDataLocation": "string",
   "glueCrawlerName": "string",
   "glueDatabaseName": "string",
   "glueTableName": "string",
   "logProviderAccessRoleArn": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

customDataLocation

The location of the partition in the Amazon S3 bucket for Security Lake.

Type: String

glueCrawlerName

The name of the AWS Glue crawler.

Type: String

glueDatabaseName

The AWS Glue database where results are written, such as: arn:aws:daylight:us-east-1::database/sometable/*.

Type: String

glueTableName

The table name of the AWS Glue crawler.

Type: String

logProviderAccessRoleArn

The ARN of the IAM role to be used by the entity putting logs into your custom source partition. Security Lake will apply the correct access policies to this role, but you must first manually create the trust policy for this role. The IAM role name must start with the text 'Security Lake'. The IAM role must trust the logProviderAccountId to assume the role.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

You do not have sufficient access to perform this action. Access denied errors appear when Amazon Security Lake explicitly or implicitly denies an authorization request. An explicit denial occurs when a policy contains a Deny statement for the specific AWS action. An implicit denial occurs when there is no applicable Deny statement and also no applicable Allow statement.

HTTP Status Code: 403

AccountNotFoundException

Amazon Security Lake cannot find an AWS account with the accountID that you specified, or the account whose credentials you used to make this request isn't a member of an organization.

HTTP Status Code: 403

BucketNotFoundException

Amazon Security Lake generally returns 404 errors if the requested object is missing from the bucket.

HTTP Status Code: 409

ConflictSourceNamesException

There was a conflict when you attempted to modify a Security Lake source name.

HTTP Status Code: 400

InternalServerException

Internal service exceptions are sometimes caused by transient issues. Before you start troubleshooting, perform the operation again.

HTTP Status Code: 500

ResourceNotFoundException

The resource could not be found.

HTTP Status Code: 404

ValidationException

Your signing certificate could not be validated.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go

• AWS SDK for Java V2

• AWS SDK for JavaScript

• AWS SDK for PHP V3

• AWS SDK for Python

• AWS SDK for Ruby V3