Export analytics data from Cerby to an Amazon S3 bucket for SIEM integration

With Cerby, you can export the analytics data of your workspace to a security information and event management (SIEM) solution via an integration. This is a feature that customers can request to be enabled by our Support team.

The integration leverages an Amazon S3 bucket, where Cerby exports the logs of analytic events in JSON files every minute as long as Cerby has registered events. This S3 bucket serves as the data source for the integration you set up with your preferred SIEM platform.

When your SIEM solution is configured to ingest data from the bucket, it can continuously consume and process these logs as part of the organization’s broader security monitoring strategy. By integrating Cerby’s analytics data into your SIEM, you can enhance visibility into user behavior and access activity, helping to enforce security policies, detect anomalies, and respond more effectively to potential threats.

This article describes the instructions to set up the analytics data export for your SIEM solution.

Requirements

The following are the requirements to configure the integration to export analytics data from Cerby via an Amazon S3 bucket:

• A Cerby account in AWS.

• A Cerby role in AWS.

Set up the analytics data export to a SIEM integration via an Amazon S3 bucket

To set up the analytics data export to a SIEM integration via an Amazon S3 bucket, you must complete the following main steps:

1. Create and configure an Amazon S3 bucket

2. Configure your SIEM solution to ingest data from the S3 bucket

The following sections describe each main step.

1. Create and configure an Amazon S3 bucket

To create and configure an Amazon S3 bucket, you must complete the following steps:

1. Create an Amazon S3 bucket for storing objects by following the instructions in the Create your first S3 bucket official documentation. NOTE: Make sure to select the ACLs disabled and Block all public access options when creating your bucket.

2. Add a bucket policy to grant Cerby writing permissions on the bucket by following the instructions in the Adding a bucket policy by using the Amazon S3 console official documentation. Use the following policy: ​

IMPORTANT: Make sure you add the name of your bucket in the Resource parameters and replace cerby_account and**cerby_role** with the values provided by our Support team.

1. Share the bucket name and its path with our Support team.

The next step is 2. Configure your SIEM solution to ingest data from the S3 bucket ​

2. Configure your SIEM solution to ingest data from the Amazon S3 bucket

To start consuming Cerby analytics data, you must configure your SIEM solution to ingest logs directly from the Amazon S3 bucket. While the exact steps vary depending on the tool, most SIEM solutions offer support for reading from S3, so refer to the official documentation for instructions.

Typically, you must complete the following steps:

1. Create a data collector or source in your SIEM solution.

2. Set up access for your SIEM solution to the S3 bucket. Typically, you must provide the following information:

   • S3 bucket name and region

   • Credentials for the SIEM to access the S3 bucket, such as IAM role or access keys

3. Configure additional settings required by your SIEM solution, such as the following:

   • Path filters

   • Data format

   • Polling interval

   • Timestamp parsing

Appendix: Analytic events format

The following is an example of a JSON object with the analytic events that Cerby sends to the S3 bucket:

The following table provides a description of each field included in the JSON object:

Table 1. Descriptions of the fields included in each JSON object