CreateCustomLogSource
Adds a third-party custom source in Amazon Security Lake, from the AWS Region where you want to create a custom source. Security Lake can collect logs and events from third-party custom sources. After creating the appropriate IAM role to invoke AWS Glue crawler, use this API to add a custom source name in Security Lake. This operation creates a partition in the Amazon S3 bucket for Security Lake as the target location for log files from the custom source in addition to an associated AWS Glue table and an AWS Glue crawler.
Request Syntax
POST /v1/logsources/custom HTTP/1.1
Content-type: application/json
{
"customSourceName": "string
",
"eventClass": "string
",
"glueInvocationRoleArn": "string
",
"logProviderAccountId": "string
"
}
URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- customSourceName
-
The name for a third-party custom source. This must be a Regionally unique value.
Type: String
Pattern:
^[\\\w\-_:/.]*$
Required: Yes
- eventClass
-
The Open Cybersecurity Schema Framework (OCSF) event class which describes the type of data that the custom source will send to Security Lake.
Type: String
Valid Values:
ACCESS_ACTIVITY | FILE_ACTIVITY | KERNEL_ACTIVITY | KERNEL_EXTENSION | MEMORY_ACTIVITY | MODULE_ACTIVITY | PROCESS_ACTIVITY | REGISTRY_KEY_ACTIVITY | REGISTRY_VALUE_ACTIVITY | RESOURCE_ACTIVITY | SCHEDULED_JOB_ACTIVITY | SECURITY_FINDING | ACCOUNT_CHANGE | AUTHENTICATION | AUTHORIZATION | ENTITY_MANAGEMENT_AUDIT | DHCP_ACTIVITY | NETWORK_ACTIVITY | DNS_ACTIVITY | FTP_ACTIVITY | HTTP_ACTIVITY | RDP_ACTIVITY | SMB_ACTIVITY | SSH_ACTIVITY | CLOUD_API | CONTAINER_LIFECYCLE | DATABASE_LIFECYCLE | CONFIG_STATE | CLOUD_STORAGE | INVENTORY_INFO | RFB_ACTIVITY | SMTP_ACTIVITY | VIRTUAL_MACHINE_ACTIVITY
Required: Yes
- glueInvocationRoleArn
-
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to be used by the AWS Glue crawler. The recommended IAM policies are:
-
The managed policy
AWSGlueServiceRole
-
A custom policy granting access to your Amazon S3 Data Lake
Type: String
Pattern:
^arn:.*
Required: Yes
-
- logProviderAccountId
-
The AWS account ID of the custom source that will write logs and events into the Amazon S3 Data Lake.
Type: String
Length Constraints: Fixed length of 12.
Pattern:
^\d+$
Required: Yes
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"customDataLocation": "string",
"glueCrawlerName": "string",
"glueDatabaseName": "string",
"glueTableName": "string",
"logProviderAccessRoleArn": "string"
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- customDataLocation
-
The location of the partition in the Amazon S3 bucket for Security Lake.
Type: String
- glueCrawlerName
-
The name of the AWS Glue crawler.
Type: String
- glueDatabaseName
-
The AWS Glue database where results are written, such as:
arn:aws:daylight:us-east-1::database/sometable/*
.Type: String
- glueTableName
-
The table name of the AWS Glue crawler.
Type: String
- logProviderAccessRoleArn
-
The ARN of the IAM role to be used by the entity putting logs into your custom source partition. Security Lake will apply the correct access policies to this role, but you must first manually create the trust policy for this role. The IAM role name must start with the text 'Security Lake'. The IAM role must trust the
logProviderAccountId
to assume the role.Type: String
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
-
You do not have sufficient access to perform this action. Access denied errors appear when Amazon Security Lake explicitly or implicitly denies an authorization request. An explicit denial occurs when a policy contains a Deny statement for the specific AWS action. An implicit denial occurs when there is no applicable Deny statement and also no applicable Allow statement.
HTTP Status Code: 403
- AccountNotFoundException
-
Amazon Security Lake cannot find an AWS account with the accountID that you specified, or the account whose credentials you used to make this request isn't a member of an organization.
HTTP Status Code: 403
- BucketNotFoundException
-
Amazon Security Lake generally returns 404 errors if the requested object is missing from the bucket.
HTTP Status Code: 409
- ConflictSourceNamesException
-
There was a conflict when you attempted to modify a Security Lake source name.
HTTP Status Code: 400
- InternalServerException
-
Internal service exceptions are sometimes caused by transient issues. Before you start troubleshooting, perform the operation again.
HTTP Status Code: 500
- ResourceNotFoundException
-
The resource could not be found.
HTTP Status Code: 404
- ValidationException
-
Your signing certificate could not be validated.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: