Account Settings > Configuring SIEM storage
|
2.
|
Click Add to add your bucket to the table.
|
a.
|
Enter the Bucket name from the AWS portal.
|
b.
|
A Prefix is optional.
|
c.
|
Click Save when you have finished. The bucket information is added to the table.
|
3.
|
In the table, click the JSON link in the row for the bucket you just added.
|
a.
|
b.
|
In the AWS Management Console, open the Bucket policy editor on the Permissions > Bucket policy tab of the AWS S3 Bucket Policy and paste the contents of the JSON pane.
|
c.
|
4.
|
In the table, click Check connection to test the connection to the S3 bucket in your account. If the connection is successful, a token file is written in order to confirm that files can be written to the bucket. The token number then appears in the connection_token object in the AWS S3 bucket (on the AWS Management Console). If a folder was created based on the contents of the prefix for the bucket, the connection_token appears in that folder.
|
a.
|
On the Check Connection page, paste the token number from the connection_token object.
|
b.
|
Click Check Connection to confirm that files written to the AWS S3 bucket can be read.
|
c.
|
Click Back when you are finished.
|
5.
|
The Status column displays with a green check if the token is confirmed. When the check mark appears, the bucket can be enabled for SIEM storage.
|
6.
|
A single bucket must be selected as Active. SIEM data is exported to the active bucket.
|
7.
|
Click Save to save all of your changes.
|
Account Settings > Configuring SIEM storage
|