Skip to main content

CyberArk Audit Delivers Security Event Information to Amazon Security Lake

CyberArk Audit Delivers Security Event Information to Amazon Security Lake

Organizations using CyberArk Identity Security products can streamline management of audit and security events for their IT environment compliance. CyberArk Audit transforms event information into Open Cybersecurity Schema Framework (OCSF) for consumption through Amazon Security Lake, which allows customers to build a security data lake from integrated cloud and on-premises data sources, as well as from their private applications. With support for the OCSF standard, Security Lake reduces the complexity and costs for customers to make their security solutions data accessible to address a variety of security use cases such as threat detection, investigation and incident response.

Working together to mitigate advanced attacks, CyberArk Identity Security Platform and Amazon Security Lake position organizations to rapidly collect, detect, alert and send findings to subscribers for further analytics.

The Integration

CyberArk Audit Adapter, a Lambda function, collects security event information from CyberArk Identity Security Platform and provides the data to Amazon Security Lake in OCSF format.  The deployed solution contains a Lambda function, which is activated based on an EventBridge rule. This rule is invoked every five minutes to query the audit service that collects information from the CyberArk Identity Security Platform, as shown in the flow below:

  1.  Invoke AWS EventBridge rule every five minutes
  2.  Request CyberArk Audit Subscription Credentials
  3. Query CyberArk Audit for new audits
  4. Store CyberArk Audit in OCSF format

CyberArk Identity Security Platform flow

Amazon Security Lake is a data lake for security logs built in the customer’s account. It is designed to optimize the cost of storing and querying massive security log sources, while maintaining good query performance and compatibility.  

CyberArk Audit is an adapter provided through the AWS CDK application and deployed in an Amazon Security Lake-empowered account.  Once the adapter stack is deployed, the function — which is triggered by an event rule — is permitted to read secrets and write to the Amazon Security Lake S3 bucket in OCSF standard. This contains all the relevant fields with audit events. 

This streamlined CyberArk integration with AWS Security Lake can help your organization get up and running quickly and securely. Visit the CyberArk Marketplace page for Amazon Security Lake Adapter integration to learn more.

CyberArk integration with AWS Security Lake

Get Started

CyberArk and AWS empower customers to follow the shared responsibility model, enhancing security without compromising productivity.  CyberArk is an AWS Advanced Technology Partner, providing technical and go-to-market support. Check out CyberArk and AWS: Better Together for more insights. Explore more than 15 out-of-the-box integrations between CyberArk and AWS services to enhance customer security that are available on the CyberArk Marketplace.