Set Up Amazon Security Lake
Amazon Security Lake must first be enabled in your AWS account. See Amazon Security Lake and Amazon Security Lake User Guide for help.
Add Barracuda Email Products as an External Data Source
Within your AWS account you must add Barracuda Networks as one or more External Data Sources.
You will need to provide the following information:
- Your (AWS Delegated Admin) AccountID
- The name for the custom data source
- The event class that will be sent (SECURITY_FINDING)
- The region ID where you will set up this external source
Set Up Barracuda Email Products
Once you have added a Barracuda Email product as an external data source within your AWS account, provide Barracuda Networks with the following information:
- The ARN (Amazon Resource Name) for the assume-role Barracuda Networks will use to deliver data into your Amazon Security Lake S3 bucket
- This will follow the naming convention
AmazonSecurityLakeLogProviderRole-<accountID>-<data source name>
- This will follow the naming convention
- The ARN for the Amazon Security Lake S3 bucket to which Barracuda Networks will be delivering data
- The prefix Barracuda Networks will be using to upload files to that S3 bucket
{
"arn":"arn:aws:iam::123456789012:role/AmazonSecurityLakeLogProviderRole-123456789012-barracuda",
"s3":"aws-security-data-lake-us-east-1-123456789012",
"prefix":"ext/barracuda"
}
Contact Barracuda Networks Technical Support
If you require assistance setting up the Amazon Security Lake integration, contact Barracuda Networks Technical Support.
Integration Data Mapping
The following table maps Open Cybersecurity Schema Framework (OCSF) fields for log data coming from Barracuda Networks.
Barracuda Networks Syslog Field | OCSF Field | Notes |
---|---|---|
activity_id | Always a value of 1, which means "A security finding is generated." | |
category_uid | Always a value of 2, which means "Findings" | |
class_uid | Always a value of 2001, which means "Security Finding" | |
timestamp | time | The time of the event |
finding.uid | Globally unique identifier | |
Email Gateway Defense: action - reason - reason_extra Impersonation Protection: category | finding.title | Different title values based on product source |
| metadata.version | The version of the event class |
| metadata.product.vendor_name | The name of the vendor (Barracuda Networks) |
| metadata.product.name | The name of the Barracuda Networks product that made the security finding |
severity_id | Always a value of 0 | |
state_id | Always a value of 0 | |
type_uid | Always a value of 200101 |