EDR: How to Setup the Event Forwarder to Export to an External S3 Bucket
search cancel

EDR: How to Setup the Event Forwarder to Export to an External S3 Bucket

book

Article ID: 291064

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • How to setup the EDR event forwarder to export to an external S3 bucket.

Environment

  • EDR: 7.1.x +
  • EDR Event Forwarder: 3.6 +

Resolution

Create an S3 Bucket:
  1. Sign into the AWS Management Console.
  2. In the top right corner of the page, you will see a region. Ensure that the selected region is the same region that the Event Forwarder is in. Use the dropdown to select the correct region. The table below gives the applicable AWS Region for each Carbon Black EDR URL.
User-added image
  1. Under Services, navigate to the S3 console.
  2. Choose Create Bucket. The Create bucket wizard will open.
  3. In Bucket Name, enter a unique name for your bucket. This can be anything.
  4. Region should default to the region you selected in step 2. Ensure that the region selected is the same region that the Event Forwarder is in by referring to the table in step 2.
  5. The Bucket Settings for Block Public Access defaults to block all public access. This default should be sufficient; public access is not required for the S3 bucket to work with the Event Forwarder.
  6. Select Create Bucket. Configure S3 Bucket to allow the Event Forwarder to write events.

Configuring the Bucket Policy:
  1. Once the bucket is created and the page is loaded with a success message, select Go to Bucket Details from the message.
  2. Navigate to Permissions and select Bucket Policy. The bucket policy gives the Event Forwarder permissions to write to your bucket.
  3. Next to the text that reads Bucket Policy Editor, you will see the ARN for your bucket. Copy this value for use in the policy.
  4. At the bottom of the page, select Policy Generator. The policy editor will open in a new window.  We will want to setup 2 statements
    1. Setup a statement for 'GetObject', 'PutObject', and 'DeleteObject' Actions:

      • In Step 1: Select Policy Type, select S3 Bucket Policy.

      • In Step 2: Add Statement(s) under Effect, select Allow.

      • In Step 2: Add Statement(s) under Principal, enter the ARN for the role you want the Event Forwarder to assume.  This can be a user or group.

      • In Step 2: Add Statement(s), AWS Service should be Amazon S3.

      • In Step 2: Add Statement(s), for Actions select the following:

        • GetObject
        • PutObject
        • DeleteObject
      • In Step 2: Add Statement(s) in Amazon Resource Name (ARN), paste your S3 bucket’s ARN copied in step 11.
        • If you wish to allow the Event Forwarder to write to any object within this bucket, append "/*" to the ARN. 
          • Example: arn:aws:s3:::example-bucket/*
        • If instead you wish to only allow the Event Forwarder to write to a specific path within the bucket, append the directory path followed by "/*" to the ARN.
          • Example: to only allow the Event Forwarder to write to the /carbonblack/events subdirectory within the bucket, use arn:aws:s3:::example-bucket/carbonblack/events/*
        • The "/*" is required at the end of the ARN regardless of directory structure to allow the Event Forwarder to create time-based subdirectories to store events.
        • The path must match the S3 prefix configured in the Event Forwarder.
      • Select Add Statement.
    2. Setup an additional statement for 'ListBucket'

      • In Step 1: Select Policy Type, select S3 Bucket Policy.

      • In Step 2: Add Statement(s) under Effect, select Allow.

      • In Step 2: Add Statement(s) under Principal, enter the ARN for the role you want the Event Forwarder to assume.  This can be a user or group.

      • In Step 2: Add Statement(s), AWS Service should be Amazon S3.

      • In Step 2: Add Statement(s), for Actions select the following:

        • ListBucket

      • In Step 2: Add Statement(s) in Amazon Resource Name (ARN), paste your S3 bucket’s ARN copied in step 11.
        • Example: arn:aws:s3:::example-bucket

      • Select Add Statement.

  5. The 2 policies created above should resemble the image below:
    • User-added image
  6. Select Generate Policy in Step 3: Generate Policy. A pop-up will open with your Policy JSON Document. Copy the contents.
  7. Returning to Permissions > Bucket Policy within the S3 console for your bucket, paste the Policy JSON Document in the editor and select Save.
  8. Next select “Management” tab
  9. Go to lifecycle and add lifecycle rule:
    • Select Apply to all objects in the bucket
    • Select Next twice to go to the “Expiration” page
    • Select Current Version so it’s checked. Expire the current version after desired days (7 is default) from object creation.
    • Select Next to review and save.
Note: If ListAllMyBuckets is required, this will need to be assigned through IAM, not on the individual bucket. Reference : https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets
  
Example Bucket Policy:
 
User-added image

Enabling Events in EDR Console:​​​
  1. From the EDR product, navigate to the event forwarder tab
  2. Enable the desired events you would like the product to upload to s3
  3. Scroll down to Output and Type and set to s3
  4. Put in the s3 bucket name, for example:
    • Format: [<region>:]<bucket-name>
    • Example using the policy above:  Us-east-1:edrforwarder
  5. Input the credential profile name, take note of the name (typically 'default' as is denoted in the aws.creds.ini example below)so that it can be added to the aws credential file.
  6. Select upload AWS credentials file in ini format (Example name: aws.creds.ini). Below is an example of a profile:
    • User-added image
  7. Select Save and restart the service for the changes to take effect.

Additional Information

Powered by Wolken Software