Configure AWS S3 Bucket

You must configure the S3 bucket details before you can configure the SIEM integration in PMC. In AWS, set up the bucket and access to the bucket. This includes:

  • Create a bucket. When creating the bucket be sure to note the bucket name and region. You need to enter the information when configuring the settings in PMC.
  • Create an access policy. When creating the access policy, the permissions required for the integration include: PutObject, ListAllMyBuckets, GetBucketAcl, and GetBucketLocation.
  • Add a user. When attaching a user to a policy, be sure to select Programmatic access as the access type and Attach existing policies directly as the permission type. Copy the Access ID and secret access key to a file; you need to enter the details when configuring the settings in PMC.

For more information, please see the following AWS documentation:

Add the AWS S3 Bucket in PMC

  1. Select Configuration, and then select SIEM Settings.
  2. Select Enable SIEM Integration to turn on the feature.
  3. From the Integration Type list, select S3
  4. Enter the details for your storage site:
    • Access Key ID: Enter the value created when you added the user.
    • Secret Access Key: Enter the value created when you added the user.
    • Bucket: Enter the name of the S3 bucket.
    • Region: Select or search for the name of the region where your storage bucket resides.
  5. Select the data format: CEF - Common Event Format or ECS - Elastic Common Schema.
  6. Select Server-Side Encryption to encrypt files sent to the S3 bucket using the default AWS encryption key.
  7. Click Validate Settings to test the connection to your storage site.
  8. Click Save Settings.

If you no longer want the SIEM integration active, click Enable SIEM Integration to turn the feature off.