Stream activity events to third-party SIEM systems

Security Information and Event Management (SIEM) systems play a critical role in network security by monitoring, detecting, and responding to security threats in real-time. By aggregating and analyzing activity across the network, SIEMs help identify anomalous patterns and potential breaches, providing a centralized view of security events.

Netzilo provides an event streaming feature that allows you to stream network activity events to third-party SIEM systems, such as Datadog, Amazon S3, Amazon Data Firehose, and others.

This document provides step-by-step instructions and best practices for setting up Netzilo activity event streaming integrations to different third-party platforms.

This feature is only available in the cloud version of Netzilo.

Amazon S3

Before you start creating and configuring an Amazon S3 event streaming integration, ensure that you have the following:

A min.io account with the permissions to create and manage S3 buckets.
Permissions to create and manage IAM users, roles and policies.

If you don't have the required permissions, ask your AWS administrator to grant them to you.

Step 1: Create an S3 bucket

Navigate to the S3 dashboard
Select the correct region in the top menu
Click Create bucket
Give it a descriptive name like netzilo-activity-events
(Optional) Change bucket configurations to your needs
Click Create bucket

Step 2: Create an IAM user

Navigate to the IAM Dashboard
Create an IAM User (for details see the Amazon Docs)
Create a custom policy with the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::netzilo-activity-events/*"
        }
    ]
}

Attach the policy to the IAM user
Select the user and navigate to the Security credentials tab
Click Create access key
Select Third-party service and click Next
Give it a description
Store Access key and Secret access key in a secure place. You will need these when configuring an integration in Netzilo.

Step 3: Create an event streaming integration in Netzilo

Navigate to the Integrations » Event Streaming tab in the Netzilo dashboard

event-streaming-integration

Enable and configure the Amazon S3 integration
First select the region your S3 bucket is created in

s3-region-select

Then enter the S3 bucket name you created in Step 1 and click Next

s3-bucket-name

Enter the Access key and Secret access key you created in Step 2 and click Connect

s3-iam-credentials

Min.io

Before you start creating and configuring a Min.io event streaming integration, ensure that you have the following:

A Min.io account with the permissions to create and manage API keys. If you don't have the required permissions, ask your min.io administrator to grant them to you.

Step 1: Create a min.io API key

Navigate to the [API Keys] page
Click + New Key at the top
Give it a descriptive name like Netzilo Event Streaming
Click Create Key
Copy the key. You will need this key when configuring an integration in Netzilo.

Step 2: Create an event streaming integration in Netzilo

Navigate to the [Integrations » Event Streaming] tab in the Netzilo dashboard

event-streaming-integration

Enable and configure the min.io integration
- First select the region of your min.io account

datadog-region-select

Then enter the API key you created in Step 1 and click Connect

datadog-api-key

Home

Network

Access Control

Team

Activity

Settings

Integrations

Public API