AWS Security Lake – Wiz.io Cloud Native Application Protection Platform (CNAPP)
AWS Security Lake centralizes security data from cloud, on-premises, and custom sources into a data lake that’s stored in your AWS account. By integrating with Organizations, you can create a data lake that collects logs and events across your accounts. Wiz.io CNAPP is a unified cloud security platform for cloud security and development teams that includes prevention, active detection, and response.
Query integrations with Amazon Security Lake, regarding Wiz CNAPP, to surface details about:
- Resource ID (mapped to finding,uid, finding_info.uid, and resources.uid)
- Process Names (mapped to process.name)
- File Name (mapped to process.file.path and malware.path)
This allows analysts to quickly search for the full and partial GUIDs of protected resources, suspected malicious process names, or malicious file names.
The following Entities, Events and Objects are supported by Query for those data points. For more information about this terminology, refer to the Normalization and the Query Data Model (QDM) section of the docs or check out our QDM Schema website.
Entities:
- Resource ID (mapped to finding,uid, finding_info.uid, and resources.uid)
- Process Names (mapped to process.name)
- File Name (mapped to process.file.path and malware.path)
Events:
- Security Findings
For example, the analyst could obtain the following context:
- Searching for a suspected process name will show all web protected resource ID’s in the Wiz.io CNAPP that contains that suspected process name.
- Searching for a malicious malware file name will show all web protected resource ID’s in the Wiz.io CNAPP that contains the suspected malicious file names.
To integrate AWS Security Lake, Wiz.io CNAPP, see integration documentation here.The integration will normalize data pulled from AWS WAFv2 into Query’s OCSF based QDM (Query Data Model) using the HTTP Activity Event Class which is modeled on OCSF’s HTTP Activity from OCSF v1.0.0-rc2.
