Third-party integrations with Security Lake - Amazon Security Lake
Query integrationAccenture – MxDRAqua SecurityBarracuda – Email ProtectionBooz Allen HamiltonBosch Software and Digital Solutions – AIShieldChaosSearchCisco Security – Secure FirewallClaroty – xDomeCMD SolutionsConfluent – Amazon S3 Sink ConnectorContrast SecurityCribl – SearchCribl – StreamCrowdStrike – Falcon Data ReplicatorCrowdStrike – Next Gen SIEMCyberArk – Unified Identify Security PlatformCyber Security Cloud – Cloud FastenerDataBahnDarktrace – Cyber AI LoopDatadogDeloitte – MXDR Cyber Analytics and AI Engine (CAE)DevoDXC – SecMonEviden – AIsaac (formerly Atos)ExtraHop – Reveal(x) 360FalcosidekickFortinet - Cloud Native FirewallGigamon – Application Metadata IntelligenceHoop CyberHTCD – AI-First Cloud Security PlatformIBM – QRadarInfosysInsbuiltKyndryl – AIOpsLacework – PolygraphLaminarMegazoneCloudMonadNETSCOUT – Omnis Cyber IntelligenceNetskope – CloudExchangeNew Relic ONEOkta – Workforce Identity CloudOrca – Cloud Security PlatformPalo Alto Networks – Prisma CloudPalo Alto Networks – XSOARPantherPing Identity – PingOnePwC – Fusion centerQuery.AI – Query Federated SearchRapid7 – InsightIDRRipJar – Labyrinth for Threat InvestigationsSailpointSecuronixSentinelOneSentra – Data Lifecyle Security PlatformSOC PrimeSplunkStellar CyberSumo LogicSwimlane – TurbineSysdig SecureTalonTaniumTCSTego CyberTines – No-code security automationTorq – Enterprise Security Automation PlatformTrellix – XDRTrend Micro – CloudOneUptycs – Uptycs XDRVectra AI – Vectra Detect for AWSVMware Aria Automation for Secure CloudsWazuhWiproWiz – CNAPPZscaler – Zscaler Posture Control

Third-party integrations with Security Lake

Amazon Security Lake integrates with multiple third-party providers. A provider may offer a source integration, a subscriber integration, or a service integration. Providers may offer one or more integration types.

Source integrations have the following properties:

Subscriber integrations have the following properties:

  • Read source data from Security Lake at an HTTPS endpoint or Amazon Simple Queue Service (Amazon SQS) queue, or by directly querying source data from AWS Lake Formation

  • Able to read data in Apache Parquet format

  • Able to read data in OCSF schema

Service integrations can help you implement Security Lake and other AWS services in your organization. They can also provide assistance with reporting, analytics, and other use cases.

To search for a specific partner provider, see the Partner Solutions Finder. To purchase a third-party product, see the AWS Marketplace.

To request to be added as a partner integration or become a Security Lake partner, send an email to .

If you use third-party integrations that send findings to AWS Security Hub, you can also review those findings in Security Lake if the Security Hub integration for Security Lake is enabled. For instructions on enabling the integration, see Integration with AWS Security Hub. For a list of third-party integrations that send findings to Security Hub, see Available third-party partner product integrations in the AWS Security Hub User Guide.

Before setting up your subscribers verify your subscriber's OCSF log support. For the latest details, review your subscriber's documentation.

Query integration

You can query the data that Security Lake stores in AWS Lake Formation databases and tables. You can also create third-party subscribers in the Security Lake console, API, or AWS Command Line Interface.

The Lake Formation data lake administrator must grant SELECT permissions on the relevant databases and tables to the IAM identity that queries the data. You must create a subscriber in Security Lake before querying data. For more information about how to create a subscriber with query access, see Managing query access for Security Lake subscribers.

You can configure query integration with Security Lake for the following third-party partners.

  • Cribl – Search

  • IBM – QRadar

  • Palo Alto Networks – XSOAR

  • Query.AI – Query Federated Search

  • SOC Prime

  • Splunk – Federated Analytics

  • Tego Cyber

Accenture – MxDR

Integration type: Subscriber, Service

Accenture's MxDR integration with Security Lake offers real-time data ingestion of logs and events, managed anomaly detection, threat hunting, and security operations. This aids analytics and managed detection and response (MDR).

As a service integration, Accenture can also help you implement Security Lake in your organization.

Integration documentation

Aqua Security

Integration type: Source

Aqua Security can be added as a custom source to send audit events to Security Lake. The audit events are converted into OCSF schema and Parquet format.

Integration documentation

Barracuda – Email Protection

Integration type: Source

Barracuda Email Protection can send events to Security Lake when new phishing email attacks are detected. You can receive these events alongside other security data in your data lake.

Integration documentation

Booz Allen Hamilton

Integration type: Service

As a service integration, Booz Allen Hamilton uses a data-driven approach to cybersecurity by fusing data and analytics with the Security Lake service.

Partner link

Bosch Software and Digital Solutions – AIShield

Integration type: Source

AIShield powered by Bosch provides automated vulnerability analysis and endpoint protection for AI assets through its integration with Security Lake.

Integration documentation

ChaosSearch

Integration type: Subscriber

ChaosSearch offers multi-model data access to users with open APIs such as Elasticsearch and SQL, or with the Kibana and Superset UIs included natively. You can consume your Security Lake data in ChaosSearch without retention limits to monitor, alert, and threat hunt. This helps you face today’s complex security environments and persistent threats.

Integration documentation

Cisco Security – Secure Firewall

Integration type: Source

By integrating Cisco Secure Firewall with Security Lake, you can store firewall logs in a structured and scalable manner. Cisco's eNcore client streams firewall logs from the Firewall Management Center, performs schema conversion to OCSF schema, and stores them in Security Lake.

Integration documentation

Claroty – xDome

Integration type: Source

Claroty xDome sends alerts detected within networks to Security Lake with minimal configuration. Flexible and rapid deployment options help xDome protect extended Internet of Things (XIoT) assets—consisting of IoT, IIoT, and BMS assets—within your network, while automatically detecting early indicators of threats.

Integration documentation

CMD Solutions

Integration type: Service

CMD Solutions helps businesses increase their agility by integrating security early and continuously through design, automation, and continuous assurance processes. As a service integration, CMD Solutions can help you implement Security Lake in your organization.

Partner link

Confluent – Amazon S3 Sink Connector

Integration type: Source

Confluent automatically connects, configures, and orchestrates data integrations with fully-managed, pre-built connectors. The Confluent S3 Sink Connector lets you take raw data and sink it into Security Lake at scale in native parquet format.

Integration documentation

Contrast Security

Integration type: Source

Partner product for the integration: Contrast Assess

Contrast Security Assess is an IAST tool offering real-time vulnerability detection in web apps, APIs, and microservices. Assess integrates with Security Lake to help provide centralized visibility for all your workloads.

Integration documentation

Integration type: Subscriber

You can use Cribl Search to search Security Lake data.

Integration documentation

Cribl – Stream

Integration type: Source

You can use Cribl Stream to send data from any Cribl supported third-party sources to Security Lake in OCSF schema.

Integration documentation

CrowdStrike – Falcon Data Replicator

Integration type: Source

This integration pulls data from the CrowdStrike Falcon Data Replicator on a continuous streaming basis, transforms the data into OCSF schema, and sends it to Security Lake.

Integration documentation

CrowdStrike – Next Gen SIEM

Integration type: Subscriber

Simplify ingestion of Security Lake data with the CrowdStrike Falcon Next-Gen SIEM data connector featuring native OCSF schema parsers. Falcon NG SIEM revolutionizes threat detection, investigation and response by bringing together unmatched security depth and breadth in one unified platform to stop breaches.

Integration documentation

CyberArk – Unified Identify Security Platform

Integration type: Source

CyberArk Audit Adapter, an AWS Lambda function, collects security events from CyberArk Identity Security Platform and sends the data to Security Lake in OCSF schema.

Integration documentation

Cyber Security Cloud – Cloud Fastener

Integration type: Subscriber

CloudFastener leverages Security Lake to make it easier to consolidate security data from your cloud environments.

Integration documentation

DataBahn

Integration type: Source

Centralize your security data in Security Lake using DataBahn’s Security Data Fabric.

Integration documentation (sign in to the DataBahn portal to review the documentation)

Darktrace – Cyber AI Loop

Integration type: Source

The Darktrace and Security Lake integration brings the power of Darktrace self-learning to Security Lake. Insights from Cyber AI Loop can be correlated against other data streams and elements of your organization's security stack. The integration logs Darktrace model breaches as security findings.

Integration documentation (sign in to the Darktrace portal to review the documentation)

Datadog

Integration type: Subscriber

Datadog Cloud SIEM detects real-time threats to your cloud environment, including data in Security Lake, and unifies DevOps and security teams in one platform.

Integration documentation

Deloitte – MXDR Cyber Analytics and AI Engine (CAE)

Integration type: Subscriber, Service

Deloitte MXDR CAE helps you quickly store, analyze, and visualize your standardized security data. The CAE suite of customized analytic, AI, and ML capabilities automatically provide actionable insights based on models that run against the OCSF-formatted data in Security Lake.

As a service integration, Deloitte can also help you implement Security Lake in your organization.

Integration documentation

Devo

Integration type: Subscriber

The Devo collector for AWS supports ingestion from Security Lake. This integration can help you analyze and address a variety of security use cases, such as threat detection, investigation, and incident response.

Integration documentation

DXC – SecMon

Integration type: Subscriber, Service

DXC SecMon collects security events from Security Lake and monitors them to detect and alert on potential security threats. This helps organizations gain a better understanding of their security posture and proactively identify and respond to threats.

As a service integration, DXC can also help you implement Security Lake in your organization.

Integration documentation

Eviden – AIsaac (formerly Atos)

Integration type: Subscriber

The AIsaac MDR platform consumes VPC Flow Logs ingested in OCSF schema in Security Lake and utilizes AI models for detecting threats.

Integration documentation

ExtraHop – Reveal(x) 360

Integration type: Source

You can enhance your workload and application security by integrating network data, including detections of IOCs, from ExtraHop Reveal(x) 360, to Security Lake in OCSF schema

Integration documentation

Falcosidekick

Integration type: Source

Falcosidekick collects and sends Falco events to Security Lake. This integration exports security events using the OCSF schema.

Integration documentation

Fortinet - Cloud Native Firewall

Integration type: Source

When creating FortiGate CNF instances in AWS, you can specify Amazon Security Lake as a log output destination.

Integration documentation

Gigamon – Application Metadata Intelligence

Integration type: Source

Gigamon Application Metadata Intelligence (AMI) empowers your observability, SIEM, and network performance monitoring tools with critical metadata attributes. This helps provide deeper application visibility so you can pinpoint performance bottlenecks, quality issues, and potential network security risks.

Integration documentation

Hoop Cyber

Integration type: Service

Hoop Cyber FastStart includes a data source assessment, prioritization, onboarding of data sources and helps customers query their data with existing tools and integrations offered through Security Lake.

Partner link

HTCD – AI-First Cloud Security Platform

Integration type: Subscriber

Gain instantaneous compliance automation, prioritization of security findings, and tailored patches. HTCD can query Security Lake to help you uncover threats with natural language queries and AI-driven insights.

Integration documentation

IBM – QRadar

Integration type: Subscriber

IBM Security QRadar SIEM with UAX integrates Security Lake with an analytics platform that identifies and prevents threats across hybrid clouds. This integration supports both data access and query access.

Integration documentation on consuming AWS CloudTrail logs

Integration documentation on using Amazon Athena for queries

Infosys

Integration type: Service

Infosys helps you customize your Security Lake implementation for your organizational needs and provides custom insights.

Partner link

Insbuilt

Integration type: Service

Insbuilt specializes in cloud consulting services and can help you understand how to implement Security Lake in your organization.

Partner link

Kyndryl – AIOps

Integration type: Subscriber, Service

Kyndryl integrates with Security Lake to provide interoperability of cyberdata, threat intelligence, and AI-powered analytics. As a data access subscriber, Kyndryl ingests AWS CloudTrail Management Events from Security Lake for analytics purposes.

As a service integration, Kyndryl can also help you implement Security Lake in your organization.

Integration documentation

Lacework – Polygraph

Integration type: Source

Lacework Polygraph® Data Platform integrates with Security Lake as a data source and provides security findings about vulnerabilities, misconfigurations, and known and unknown threats across your AWS environment.

Integration documentation

Laminar

Integration type: Source

Laminar sends data security events to Security Lake in OCSF schema, making them available for additional analytics use cases, such as incident response and investigation.

Integration documentation

MegazoneCloud

Integration type: Service

MegazoneCloud specializes in cloud consulting services and can help you understand how to implement Security Lake in your organization. We connect Security Lake with integrated ISV solutions to build custom tasks, and build customized insights related with customer needs.

Integration documentation

Monad

Integration type: Source

Monad automatically transforms your data into OCSF schema and sends it to your Security Lake data lake.

Integration documentation

NETSCOUT – Omnis Cyber Intelligence

Integration type: Source

By integrating with Security Lake, NETSCOUT becomes a custom source of security findings and detailed security insights into what’s happening in your enterprise, such as cyberthreats, security risks, and attack surface changes. These findings are produced in the customer account by NETSCOUT CyberStreams and Omnis Cyber Intelligence, and then sent to Security Lake in OCSF schema. The ingested data also meets other requirements and best practices for a Security Lake source, including format, schema, partitioning, and performance-related aspects.

Integration documentation

Netskope – CloudExchange

Integration type: Source

Netskope helps you strengthen your security posture by sharing security-related logs and threat information with Security Lake. Netskope findings are sent to Security Lake with a CloudExchange Plugin, which can be launched as a docker-based environment within AWS or in a local data center.

Integration documentation

New Relic ONE

Integration type: Subscriber

New Relic ONE is a Lambda-based subscriber application. It's deployed in your account, triggered by Amazon SQS, and sends data to New Relic using New Relic license keys

Integration documentation

Okta – Workforce Identity Cloud

Integration type: Source

Okta sends identity logs to Security Lake in OCSF schema through an Amazon EventBridge integration. Okta System Logs in OCSF schema will help security and data scientist teams to query security events by an open source standard. Generating standardized OCSF logs from Okta helps you perform audit activities and generate reports related to authentication, authorization, account changes, and entity changes under a consistent schema.

Integration documentation

AWS CloudFormation template to add Okta as a custom source in Security Lake

Orca – Cloud Security Platform

Integration type: Source

The Orca agentless cloud security platform for AWS integrates with Security Lake by sending Cloud Detection and Response (CDR) events in OCSF schema.

Integration documentation (sign in to the Orca portal to review the documentation)

Palo Alto Networks – Prisma Cloud

Integration type: Source

Palo Alto Networks Prisma Cloud aggregates vulnerability detection data across VMs in your cloud-native environments and sends it to Security Lake.

Integration documentation

Palo Alto Networks – XSOAR

Integration type: Suscriber

Palo Alto Networks XSOAR has built a subscriber integration with XSOAR and Security Lake.

Integration documentation

Panther

Integration type: Subscriber

Panther supports ingesting Security Lake logs for use in search and detection.

Integration documentation

Ping Identity – PingOne

Integration type: Source

PingOne sends account modification alerts to Security Lake in OCSF schema and Parquet format, allowing you to discover and act upon account changes.

Integration documentation

PwC – Fusion center

Integration type: Subscriber, Service

PwC brings knowledge and expertise to aid clients in implementing a fusion center to meet their individual needs. Built on Amazon Security Lake, a fusion center provides the ability to combine data from a variety of sources to create a centralized, near real-time view.

Integration documentation

Query.AI – Query Federated Search

Integration type: Subscriber

Query Federated Search can directly query any Security Lake table via Amazon Athena to support incident response, investigations, threat hunting, and general search across a variety of Observables, Events, and Objects in the OCSF schema.

Integration documentation

Rapid7 – InsightIDR

Integration type: Subscriber

InsightIDR, the Rapid7 SIEM/XDR solution, can ingest logs in Security Lake for threat detection and investigation of suspicious activity.

Integration documentation

RipJar – Labyrinth for Threat Investigations

Integration type: Subscriber

Labyrinth for Threat Investigations provides an enterprise-wide approach to threat exploration at scale based on data fusion, with fine-grained security, adaptable workflows, and reporting.

Integration documentation

Sailpoint

Integration type: Source

Partner product for the integration: SailPoint IdentityNow

This integration enables customers to transform event data from SailPoint IdentityNow. The integration is intended to provide an automated process to bring IdentityNow user activity and governance events into Security Lake to improve insights from security incident and event monitoring products.

Integration documentation

Securonix

Integration type: Subscriber

Securonix Next-Gen SIEM integrates with Security Lake, empowering security teams to ingest data more quickly and expand their detection and response capabilities.

Integration documentation

SentinelOne

Integration type: Subscriber

The SentinelOne Singularity™ XDR Platform extends real-time detection and response to endpoint, identity, and cloud workloads running on on-premises and public cloud infrastructure, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), and Amazon Elastic Kubernetes Service (Amazon EKS).

Integration documentation (sign in to the SentinelOne portal to review the documentation)

Sentra – Data Lifecyle Security Platform

Integration type: Source

After deploying the Sentra scanning infrastructure in your account, Sentra fetches findings and ingest them into your SaaS. These findings are metadata that Sentra stores and later streams to Security Lake in OCSF schema for querying.

Integration documentation

SOC Prime

Integration type: Subscriber

SOC Prime integrates with Security Lake through Amazon OpenSearch Service and Amazon Athena to facilitate smart data orchestration and threat hunting based on zero trust milestones. SOC Prime empowers security teams to increase threat visibility and investigate incidents without an overwhelming volume of alerts. You can save development time with reusable rules and queries that are automatically convertible to Athena and OpenSearch Service in the OCSF schema.

Integration documentation

Splunk

Integration type: Subscriber

The Splunk AWS Add-On for Amazon Web Services (AWS) supports ingestion from Security Lake. This integration helps you accelerate threat detection, investigation, and response by subscribing to data in OCSF schema from Security Lake.

Integration documentation

Stellar Cyber

Integration type: Subscriber

Stellar Cyber consumes logs from Security Lake and adds the records to the Stellar Cyber data lake. This connector uses OCSF schema.

Integration documentation

Sumo Logic

Integration type: Subscriber

Sumo Logic consumes data from Security Lake and provides broad visibility across AWS, on-premise, and hybrid cloud environments. Sumo Logic gives security teams comprehensive visibility, automation, and threat monitoring across all of their security tools.

Integration documentation

Swimlane – Turbine

Integration type: Subscriber

Swimlane ingests data from Security Lake in OCSF schema, and sends the data through low-code playbooks and case management to facilitate faster threat detection, investigation, and incident response.

Integration documentation (sign in to the Swimlane portal to review the documentation)

Sysdig Secure

Integration type: Source

Sysdig Secure's cloud-native application protection platform (CNAPP) sends security events to Security Lake to maximize oversight, streamline investigations, and simplify compliance.

Integration documentation

Talon

Integration type: Source

Partner product for the integration: Talon Enterprise Browser

Talon's Enterprise Browser, a secure and isolated browser-based endpoint environment, sends Talon Access, data protection, SaaS actions, and security events to Security Lake providing visibility and options to cross-correlate events for detection, forensics, and investigations.

Integration documentation (sign in to the Talon portal to review the documentation)

Tanium

Integration type: Source

Tanium Unified Cloud Endpoint Detection, Management, and Security Platform provides inventory data to Security Lake in OCSF schema.

Integration documentation

TCS

Integration type: Service

The TCS AWS Business Unit offers innovation, experience, and talent. This integration is powered by a decade of joint value creation, deep industry knowledge, technology expertise, and delivery wisdom. As a service integration, TCS can help you implement Security Lake in your organization.

Integration documentation

Tego Cyber

Integration type: Subscriber

Tego Cyber integrates with Security Lake to help you swiftly detect and investigate potential security threats. By correlating diverse threat indicators across extensive time frames and log sources, Tego Cyber uncovers hidden threats. The platform is enriched with highly contextual threat intelligence, providing precision and insight in threat detection and investigations.

Integration documentation

Tines – No-code security automation

Integration type: Subscriber

Tines No-code security automation helps you make more accurate decisions by leveraging security data centralized in Security Lake.

Integration documentation

Torq – Enterprise Security Automation Platform

Integration type: Source, Subscriber

Torq seamlessly integrates with Security Lake as both a custom source and a subscriber. Torq helps you implement enterprise-scale automation and orchestration with a simple no-code platform.

Integration documentation

Trellix – XDR

Integration type: Source, Subscriber

As an open XDR platform, Trellix XDR supports the Security Lake integration. Trellix XDR can leverage data in OCSF schema for security analytics use cases. You can also augment your Security Lake data lake with 1,000+ sources of security events in Trellix XDR. This helps you extend detection and response capabilities for your AWS environment. Ingested data is correlated with other security risks, providing you with the necessary playbooks to respond to a risk in a timely manner.

Integration documentation

Trend Micro – CloudOne

Integration type: Source

Trend Micro CloudOne Workload Security sends the following information to Security Lake from your Amazon Elastic Compute Cloud (EC2) instances:

  • DNS Query activity

  • File activity

  • Network activity

  • Process activity

  • Registry Value activity

  • User Account activity

Integration documentation

Uptycs – Uptycs XDR

Integration type: Source

Uptycs sends a wealth of data in OCSF schema from on-premises and cloud assets to Security Lake. The data includes behavioral threat detections from endpoints and cloud workloads, anomaly detections, policy violations, risky policies, misconfigurations, and vulnerabilities.

Integration documentation

Vectra AI – Vectra Detect for AWS

Integration type: Source

By using Vectra Detect for AWS, you can send high-fidelity alerts to Security Lake as a custom source using a dedicated AWS CloudFormation template.

Integration documentation

VMware Aria Automation for Secure Clouds

Integration type: Source

With this integration, you can detect cloud misconfigurations and send them to Security Lake for advanced analysis.

Integration documentation

Wazuh

Integration type: Subscriber

Wazuh aims to securely handle user data, provide query access for each source, and optimize querying costs.

Integration documentation

Wipro

Integration type: Source, Service

This integration allows you to collect data from the Wipro Cloud Application Risk Governance (CARG) platform to provide a unified view of your cloud applications and compliance postures across an enterprise.

As a service integration, Wipro can also help you implement Security Lake in your organization.

Integration documentation

Wiz – CNAPP

Integration type: Source

The integration between Wiz and Security Lake facilitates cloud security data collection in a single security data lake by leveraging the OCSF schema, an open source standard designed for extensible and normalized security data exchange.

Integration documentation (sign in to the Wiz portal to review the documentation)

Zscaler – Zscaler Posture Control

Integration type: Source

Zscaler Posture Control™, a cloud native application protection platform, sends security findings to Security Lake in OCSF schema.

Integration documentation