Third-party integrations with Security Lake
Amazon Security Lake integrates with multiple third-party providers. A provider may offer a source integration, a subscriber integration, or a service integration. Providers may offer one or more integration types.
Source integrations have the following properties:
-
Send data to Security Lake
-
Data arrives in Apache Parquet format
-
Data arrives in the Open Cybersecurity Schema Framework (OCSF) schema
Subscriber integrations have the following properties:
-
Read source data from Security Lake at an HTTPS endpoint or Amazon Simple Queue Service (Amazon SQS) queue, or by directly querying source data from AWS Lake Formation
-
Able to read data in Apache Parquet format
-
Able to read data in OCSF schema
Service integrations can help you implement Security Lake and other AWS services in your organization. They can also provide assistance with reporting, analytics, and other use cases.
To search for a specific partner provider, see the Partner Solutions Finder
To request to be added as a partner integration or become a Security Lake partner, send an email to
<securitylake-partners@amazon.com>.
If you use third-party integrations that send findings to AWS Security Hub, you can also review those findings in Security Lake if the Security Hub integration for Security Lake is enabled. For instructions on enabling the integration, see Integration with AWS Security Hub. For a list of third-party integrations that send findings to Security Hub, see Available third-party partner product integrations in the AWS Security Hub User Guide.
Before setting up your subscribers verify your subscriber's OCSF log support. For the latest details, review your subscriber's documentation.
Query integration
You can query the data that Security Lake stores in AWS Lake Formation databases and tables. You can also create third-party subscribers in the Security Lake console, API, or AWS Command Line Interface.
The Lake Formation data lake administrator must grant SELECT permissions on the
relevant databases and tables to the IAM identity that queries the data. You must
create a subscriber in Security Lake before querying data. For more information about how to
create a subscriber with query access, see Managing query access for Security Lake
subscribers.
You can configure query integration with Security Lake for the following third-party partners.
-
Palo Alto Networks – XSOAR
-
IBM – QRadar
-
SOC Prime
-
Tego Cyber
-
Cribl – Search
Accenture – MxDR
Integration type: Subscriber, Service
Accenture's MxDR integration with Security Lake offers real-time data ingestion of logs and events, managed anomaly detection, threat hunting, and security operations. This aids analytics and managed detection and response (MDR).
As a service integration, Accenture can also help you implement Security Lake in your organization.
Aqua Security
Integration type: Source
Aqua Security can be added as a custom source to send audit events to Security Lake. The audit events are converted into OCSF schema and Parquet format.
Barracuda – Email Protection
Integration type: Source
Barracuda Email Protection can send events to Security Lake when new phishing email attacks are detected. You can receive these events alongside other security data in your data lake.
Booz Allen Hamilton
Integration type: Service
As a service integration, Booz Allen Hamilton uses a data-driven approach to cybersecurity by fusing data and analytics with the Security Lake service.
ChaosSearch
Integration type: Subscriber
ChaosSearch offers multi-model data access to users with open APIs such as Elasticsearch and SQL, or with the Kibana and Superset UIs included natively. You can consume your Security Lake data in ChaosSearch without retention limits to monitor, alert, and threat hunt. This helps you face today’s complex security environments and persistent threats.
Cisco Security – Secure Firewall
Integration type: Source
By integrating Cisco Secure Firewall with Security Lake, you can store firewall logs in a structured and scalable manner. Cisco's eNcore client streams firewall logs from the Firewall Management Center, performs schema conversion to OCSF schema, and stores them in Security Lake.
Claroty – xDome
Integration type: Source
Claroty xDome sends alerts detected within networks to Security Lake with minimal configuration. Flexible and rapid deployment options help xDome protect extended Internet of Things (XIoT) assets—consisting of IoT, IIoT, and BMS assets—within your network, while automatically detecting early indicators of threats.
CMD Solutions
Integration type: Service
CMD Solutions helps businesses increase their agility by integrating security early and continuously through design, automation, and continuous assurance processes. As a service integration, CMD Solutions can help you implement Security Lake in your organization.
Confluent – Amazon S3 Sink Connector
Integration type: Source
Confluent automatically connects, configures, and orchestrates data integrations with fully-managed, pre-built connectors. The Confluent S3 Sink Connector lets you take raw data and sink it into Security Lake at scale in native parquet format.
Contrast Security
Integration type: Source
Partner product for the integration: Contrast Assess
Contrast Security Assess is an IAST tool offering real-time vulnerability detection in web apps, APIs, and microservices. Assess integrates with Security Lake to help provide centralized visibility for all your workloads.
Cribl – Search
Integration type: Subscriber
You can use Cribl Search to search Security Lake data.
Cribl – Stream
Integration type: Source
You can use Cribl Stream to send data from any Cribl supported third-party sources to Security Lake in OCSF schema.
CrowdStrike – Falcon Data Replicator
Integration type: Source
This integration pulls data from the CrowdStrike Falcon Data Replicator on a continuous streaming basis, transforms the data into OCSF schema, and sends it to Security Lake.
CyberArk – Unified Identify Security Platform
Integration type: Source
CyberArk Audit Adapter, an AWS Lambda function, collects security events from CyberArk Identity Security Platform and sends the data to Security Lake in OCSF schema.
Darktrace – Cyber AI Loop
Integration type: Source
The Darktrace and Security Lake integration brings the power of Darktrace self-learning to Security Lake. Insights from Cyber AI Loop can be correlated against other data streams and elements of your organization's security stack. The integration logs Darktrace model breaches as security findings.
Integration documentation (sign in to the Darktrace portal to review
the documentation)
Datadog
Integration type: Subscriber
Datadog Cloud SIEM detects real-time threats to your cloud environment, including data in Security Lake, and unifies DevOps and security teams in one platform.
Deloitte – MXDR Cyber Analytics and AI Engine (CAE)
Integration type: Subscriber, Service
Deloitte MXDR CAE helps you quickly store, analyze, and visualize your standardized security data. The CAE suite of customized analytic, AI, and ML capabilities automatically provide actionable insights based on models that run against the OCSF-formatted data in Security Lake.
As a service integration, Deloitte can also help you implement Security Lake in your organization.
Devo
Integration type: Subscriber
The Devo collector for AWS supports ingestion from Security Lake. This integration can help you analyze and address a variety of security use cases, such as threat detection, investigation, and incident response.
DXC – SecMon
Integration type: Subscriber, Service
DXC SecMon collects security events from Security Lake and monitors them to detect and alert on potential security threats. This helps organizations gain a better understanding of their security posture and proactively identify and respond to threats.
As a service integration, DXC can also help you implement Security Lake in your organization.
Eviden – AIsaac (formerly Atos)
Integration type: Subscriber
The AIsaac MDR platform consumes VPC Flow Logs ingested in OCSF schema in Security Lake and utilizes AI models for detecting threats.
ExtraHop – Reveal(x) 360
Integration type: Source
You can enhance your workload and application security by integrating network data, including detections of IOCs, from ExtraHop Reveal(x) 360, to Security Lake in OCSF schema
Falcosidekick
Integration type: Source
Falcosidekick collects and sends Falco events to Security Lake. This integration exports security events using the OCSF schema.
Gigamon – Application Metadata Intelligence
Integration type: Source
Gigamon Application Metadata Intelligence (AMI) empowers your observability, SIEM, and network performance monitoring tools with critical metadata attributes. This helps provide deeper application visibility so you can pinpoint performance bottlenecks, quality issues, and potential network security risks.
Hoop Cyber
Integration type: Service
Hoop Cyber FastStart includes a data source assessment, prioritization, onboarding of data sources and helps customers query their data with existing tools and integrations offered through Security Lake.
IBM – QRadar
Integration type: Subscriber
IBM Security QRadar SIEM with UAX integrates Security Lake with an analytics platform that identifies and prevents threats across hybrid clouds. This integration supports both data access and query access.
Integration documentation on consuming AWS CloudTrail logs
Integration documentation on using Amazon Athena for queries
Infosys
Integration type: Service
Infosys helps you customize your Security Lake implementation for your organizational needs and provides custom insights.
Insbuilt
Integration type: Service
Insbuilt specializes in cloud consulting services and can help you understand how to implement Security Lake in your organization.
Kyndryl – AIOps
Integration type: Subscriber, Service
Kyndryl integrates with Security Lake to provide interoperability of cyberdata, threat intelligence, and AI-powered analytics. As a data access subscriber, Kyndryl ingests AWS CloudTrail Management Events from Security Lake for analytics purposes.
As a service integration, Kyndryl can also help you implement Security Lake in your organization.
Lacework – Polygraph
Integration type: Source
Lacework Polygraph® Data Platform integrates with Security Lake as a data source and provides security findings about vulnerabilities, misconfigurations, and known and unknown threats across your AWS environment.
Laminar
Integration type: Source
Laminar sends data security events to Security Lake in OCSF schema, making them available for additional analytics use cases, such as incident response and investigation.
MegazoneCloud
Integration type: Service
MegazoneCloud specializes in cloud consulting services and can help you understand how to implement Security Lake in your organization. We connect Security Lake with integrated ISV solutions to build custom tasks, and build customized insights related with customer needs.
Monad
Integration type: Source
Monad automatically transforms your data into OCSF schema and sends it to your Security Lake data lake.
NETSCOUT – Omnis Cyber Intelligence
Integration type: Source
By integrating with Security Lake, NETSCOUT becomes a custom source of security findings and detailed security insights into what’s happening in your enterprise, such as cyberthreats, security risks, and attack surface changes. These findings are produced in the customer account by NETSCOUT CyberStreams and Omnis Cyber Intelligence, and then sent to Security Lake in OCSF schema. The ingested data also meets other requirements and best practices for a Security Lake source, including format, schema, partitioning, and performance-related aspects.
Netskope – CloudExchange
Integration type: Source
Netskope helps you strengthen your security posture by sharing security-related logs and threat information with Security Lake. Netskope findings are sent to Security Lake with a CloudExchange Plugin, which can be launched as a docker-based environment within AWS or in a local data center.
New Relic ONE
Integration type: Subscriber
New Relic ONE is a Lambda-based subscriber application. It's deployed in your account, triggered by Amazon SQS, and sends data to New Relic using New Relic license keys
Okta – Workforce Identity Cloud
Integration type: Source
Okta sends identity logs to Security Lake in OCSF schema through an Amazon EventBridge integration. Okta System Logs in OCSF schema will help security and data scientist teams to query security events by an open source standard. Generating standardized OCSF logs from Okta helps you perform audit activities and generate reports related to authentication, authorization, account changes, and entity changes under a consistent schema.
AWS CloudFormation template to add
Okta as a custom source in Security Lake
Orca – Cloud Security Platform
Integration type: Source
The Orca agentless cloud security platform for AWS integrates with Security Lake by sending Cloud Detection and Response (CDR) events in OCSF schema.
Integration documentation (sign in to the Orca portal to review the
documentation)
Palo Alto Networks – Prisma Cloud
Integration type: Source
Palo Alto Networks Prisma Cloud aggregates vulnerability detection data across VMs in your cloud-native environments and sends it to Security Lake.
Palo Alto Networks – XSOAR
Integration type: Source
Palo Alto Networks XSOAR has built a subscriber integration with XSOAR and Security Lake.
Ping Identity – PingOne
Integration type: Source
PingOne sends account modification alerts to Security Lake in OCSF schema and Parquet format, allowing you to discover and act upon account changes.
PwC – Fusion center
Integration type: Subscriber, Service
PwC brings knowledge and expertise to aid clients in implementing a fusion center to meet their individual needs. Built on Amazon Security Lake, a fusion center provides the ability to combine data from a variety of sources to create a centralized, near real-time view.
Rapid7 – InsightIDR
Integration type: Subscriber
InsightIDR, the Rapid7 SIEM/XDR solution, can ingest logs in Security Lake for threat detection and investigation of suspicious activity.
RipJar – Labyrinth for Threat Investigations
Integration type: Subscriber
Labyrinth for Threat Investigations provides an enterprise-wide approach to threat exploration at scale based on data fusion, with fine-grained security, adaptable workflows, and reporting.
Sailpoint
Integration type: Source
Partner product for the integration: SailPoint IdentityNow
This integration enables customers to transform event data from SailPoint IdentityNow. The integration is intended to provide an automated process to bring IdentityNow user activity and governance events into Security Lake to improve insights from security incident and event monitoring products.
Securonix
Integration type: Subscriber
Securonix Next-Gen SIEM integrates with Security Lake, empowering security teams to ingest data more quickly and expand their detection and response capabilities.
SentinelOne
Integration type: Subscriber
The SentinelOne Singularity™ XDR Platform extends real-time detection and response to endpoint, identity, and cloud workloads running on on-premises and public cloud infrastructure, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), and Amazon Elastic Kubernetes Service (Amazon EKS).
Integration documentation (sign in to the SentinelOne portal to
review the documentation)
Sentra – Data Lifecyle Security Platform
Integration type: Source
After deploying the Sentra scanning infrastructure in your account, Sentra fetches findings and ingest them into your SaaS. These findings are metadata that Sentra stores and later streams to Security Lake in OCSF schema for querying.
SOC Prime
Integration type: Subscriber
SOC Prime integrates with Security Lake through Amazon OpenSearch Service and Amazon Athena to facilitate smart data orchestration and threat hunting based on zero trust milestones. SOC Prime empowers security teams to increase threat visibility and investigate incidents without an overwhelming volume of alerts. You can save development time with reusable rules and queries that are automatically convertible to Athena and OpenSearch Service in the OCSF schema.
Splunk
Integration type: Subscriber
The Splunk AWS Add-On for Amazon Web Services (AWS) supports ingestion from Security Lake. This integration helps you accelerate threat detection, investigation, and response by subscribing to data in OCSF schema from Security Lake.
Stellar Cyber
Integration type: Subscriber
Stellar Cyber consumes logs from Security Lake and adds the records to the Stellar Cyber data lake. This connector uses OCSF schema.
Sumo Logic
Integration type: Subscriber
Sumo Logic consumes data from Security Lake and provides broad visibility across AWS, on-premise, and hybrid cloud environments. Sumo Logic gives security teams comprehensive visibility, automation, and threat monitoring across all of their security tools.
Swimlane – Turbine
Integration type: Subscriber
Swimlane ingests data from Security Lake in OCSF schema, and sends the data through low-code playbooks and case management to facilitate faster threat detection, investigation, and incident response.
Integration documentation
(sign in to the Swimlane portal to review the
documentation)
Sysdig Secure
Integration type: Source
Sysdig Secure's cloud-native application protection platform (CNAPP) sends security events to Security Lake to maximize oversight, streamline investigations, and simplify compliance.
Talon
Integration type: Source
Partner product for the integration: Talon Enterprise Browser
Talon's Enterprise Browser, a secure and isolated browser-based endpoint environment, sends Talon Access, data protection, SaaS actions, and security events to Security Lake providing visibility and options to cross-correlate events for detection, forensics, and investigations.
Integration documentation (sign in to the Talon portal to review the
documentation)
Tanium
Integration type: Source
Tanium Unified Cloud Endpoint Detection, Management, and Security Platform provides inventory data to Security Lake in OCSF schema.
TCS
Integration type: Service
The TCS AWS Business Unit offers innovation, experience, and talent. This integration is powered by a decade of joint value creation, deep industry knowledge, technology expertise, and delivery wisdom. As a service integration, TCS can help you implement Security Lake in your organization.
Tego Cyber
Integration type: Subscriber
Tego Cyber integrates with Security Lake to help you swiftly detect and investigate potential security threats. By correlating diverse threat indicators across extensive time frames and log sources, Tego Cyber uncovers hidden threats. The platform is enriched with highly contextual threat intelligence, providing precision and insight in threat detection and investigations.
Tines – No-code security automation
Integration type: Subscriber
Tines No-code security automation helps you make more accurate decisions by leveraging security data centralized in Security Lake.
Torq – Enterprise Security Automation Platform
Integration type: Source, Subscriber
Torq seamlessly integrates with Security Lake as both a custom source and a subscriber. Torq helps you implement enterprise-scale automation and orchestration with a simple no-code platform.
Trellix – XDR
Integration type: Source, Subscriber
As an open XDR platform, Trellix XDR supports the Security Lake integration. Trellix XDR can leverage data in OCSF schema for security analytics use cases. You can also augment your Security Lake data lake with 1,000+ sources of security events in Trellix XDR. This helps you extend detection and response capabilities for your AWS environment. Ingested data is correlated with other security risks, providing you with the necessary playbooks to respond to a risk in a timely manner.
Trend Micro – CloudOne
Integration type: Source
Trend Micro CloudOne Workload Security sends the following information to Security Lake from your Amazon Elastic Compute Cloud (EC2) instances:
-
DNS Query activity
-
File activity
-
Network activity
-
Process activity
-
Registry Value activity
-
User Account activity
Uptycs – Uptycs XDR
Integration type: Source
Uptycs sends a wealth of data in OCSF schema from on-premises and cloud assets to Security Lake. The data includes behavioral threat detections from endpoints and cloud workloads, anomaly detections, policy violations, risky policies, misconfigurations, and vulnerabilities.
Vectra AI – Vectra Detect for AWS
Integration type: Source
By using Vectra Detect for AWS, you can send high-fidelity alerts to Security Lake as a custom source using a dedicated AWS CloudFormation template.
VMware Aria Automation for Secure Clouds
Integration type: Source
With this integration, you can detect cloud misconfigurations and send them to Security Lake for advanced analysis.
Wazuh
Integration type: Subscriber
Wazuh aims to securely handle user data, provide query access for each source, and optimize querying costs.
Wipro
Integration type: Source, Service
This integration allows you to collect data from the Wipro Cloud Application Risk Governance (CARG) platform to provide a unified view of your cloud applications and compliance postures across an enterprise.
As a service integration, Wipro can also help you implement Security Lake in your organization.
Wiz – CNAPP
Integration type: Source
The integration between Wiz and Security Lake facilitates cloud security data collection in a single security data lake by leveraging the OCSF schema, an open source standard designed for extensible and normalized security data exchange.
Integration
documentation (sign in to the Wiz portal to review the
documentation)
Zscaler – Zscaler Posture Control
Integration type: Source
Zscaler Posture Control™, a cloud native application protection platform, sends security findings to Security Lake in OCSF schema.
