About The Device
Protect and monitor the SaaS environment for your businesses. The SaaS Security Management platform that lets you Scan, Secure, and Monitor your SaaS applications like Box, Dropbox, Salesforce, etc.
Device Information
Entity | Particulars |
---|---|
Vendor Name | AppOmni |
Product Name | AppOmni |
Type of Device | Cloud |
Collection Method
Log Type | Ingestion label | Preferred Logging Protocol | Log Collection Method | Data Source |
---|---|---|---|---|
AppOmni | APPOMNI | JSON | C2C | N/A |
Device Configuration
1 - AWS S3 Configuration
Creation of S3 bucket
Navigate to https://s3.console.aws.amazon.com/
Click Create Bucket
Provide a name for the S3 bucket
Select a Region
Click Create Bucket
Setup API Gateway Role
Navigate to https://console.aws.amazon.com/iam
Click Roles
Click Create role
Select S3 as your use case
Click Next: Permissions
Select AmazonS3FullAccess
Click Next: Tags
Click Next: Review
Provide a Role Name
Click Create Role
Click or Open the role you created in the previous step
Click Trust relationships tab
Click Edit trust relationship
Paste the following into the policy document
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Click Save or Update Trust Policy
Copy the Role ARN for this role, you’ll need it later
Create API GW
Navigate to API Management - Amazon API Gateway - AWS
Click Create API
Click the Build button in the Rest API section
Select New API
Provide an API name and Description
Click Create API
Click Actions dropdown
Select Create Method
Select PUT, and click the check box to save
Select AWS Service
Set AWS Region to the region where the S3 bucket was created
Set AWS Service to Simple Storage Service (S3)
Leave AWS Subdomain empty
HTTP method PUT
Set Action Type to Use path override
Set Path override (optional) to the following:
<name_of_your_s3_bucket>/{key}
Set Execution Role to the ARN of the role created in Step #2
Click Save
Click Integration Request
Expand Mapping Templates
Select When there are no templates defined (recommended)
Click Add Mapping template
Set it to application/json, and click the save
Insert the below into the Template
#set($context.requestOverride.path.key = $context.requestId) $input.body
Click Save
Scroll to the top
Click the <- Method Execution
Select your PUT method
Click on Actions drop down
Click Deploy API
Set Deployment stage to [New Stage]
Set Stage Name to the name of your S3 bucket
Set Stage Description to the name of your S3 bucket
Click Deploy
Click Usage Plans on the left side
Click Create
Provide Name
Disable Enable throttling
Disable Enable quota
Click Next
Click Add API Stage
In the API dropdown list select the API you created above
In the Stage dropdown list select the Stage you created above
Click Save
Click Next
Click Done
Click API Keys
Click Create API Key and add to Usage Plan
Provide an API Key Name
Select Auto Generate
Click Save
Click Key to open the key
Click the Show option and copy the key (you’ll need it later)
Navigate back to the API PUT method
Click the Method Request
Set API Key Required to True
Expand the HTTP Request Headers.
Insert x-api-key, select Required and click Save
Select your PUT method
Select Actions - Deploy API dropdown
Select the Deployment Stage you created earlier
Click Deploy
Click Stages on the left and select the Stage you configured above.
Copy the Invoke URL, which you’ll need later
Navigate back to the API PUT method
Click Test
Insert x-api-key:<insert API key from previous steps>
Click Test
Verify that you get Status 200 response (test succeeded)
2. Configure S3 Bucket in AppOmni - Alerts Dashboard
Log into your AppOmni console
Navigate to Monitor - Alert Dashboard
Click the + sign to add a new AppOmni Data Sink.
Provide a name for the Data Sink
Select Event Format as Condensed ECS
Set Max Event Size in Bytes to 0 (zero)
Data Sink = HTTP
Insert the Invoke URL from Create API GW step above in the Endpoint section
Set the Token Header to x-api-key
Insert the API key from Create API GW step above in the Token Section
Method = PUT
Delivery Format = JSON Array
Click Test Data Sink Configuration to ensure all parameters are correct.
Click Create New Data Sink to save the Data Sink settings
Review the JSON files in the S3 bucket, they contain the normalized AppOmni SaaS audit logs and detection alerts.
3. Configure S3 Bucket in AppOmni - Workflows
Log into your AppOmni console
Navigate to Monitor - Workflows
Click the Add Workflow +
Provide a Workflow Name
Select the Environment Tags to include in the Workflow
Click Webhook Notifications for New/Reopened Events on Policy Scans (PUT)
Insert the Invoke URL from Create API GW step above in the Endpoint section
Click Next
Set HeaderName to x-api-key
Insert the API key from Create API GW step above in the HeaderValue Section
Click Finish
Click Add Workflow
4. Configure AppOmni policies to leverage the S3 bucket workflow
Open your AppOmni policy
Click Manage
Select the configured S3 Bucket in the workflow section
Click Add to Policy
AppOmni findings for this policy will now be send to the configured S3 bucket
The JSON files in the S3 bucket contain the AppOmni findings from the policy/policies configured to send findings to the S3 bucket.
5. Create SQS
For Internal Reference: Configuring Amazon Simple Queue Service (SQS) with S3 Storage
6. Attaching Created SQS with S3
Navigate to S3 Dashboard and select the S3 Bucket created in Section 1 above which needs to be monitored for Notifications.
Navigate to Properties Tab
Under event notification. Click Create event notification
Provide a desired name to the notification and select the Event which has to be notified.
Select All Objects create events as we need to be notified for every new entry in the Bucket.
Add Prefix
Prefix is necessary in such cases if any single object has to be monitored. The prefix is the name of the directory created in the bucket. In case every directory in the Bucket has to be monitored for notifications, leave the prefix blank.
Select SQS queue as destination and Select Choose from your SQS queue.
Select the SQS queue from the dropdown which you have created earlier
Click Save
Follow below page for IAM user policies which are required for SQS & S3:
IAM User and KMS Key Policies Required for AWS
If SQS is encrypted, please add below policy in KMS. This policy is required to make s3 events notify SQS:
KMS Policy: *********** { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", ], "Resource": "*" }
Integration Parameters
Parameters required from customer for Integration.
Property | Default Value | Description |
---|---|---|
REGION | Custom Value | The region where the S3 bucket resides. For a list of regions, see Amazon S3 regions. |
S3 URI | Custom Value | The S3 URI to ingest. |
ACCESS KEY ID | Custom Value | The value obtained from above configuration. |
SECRET ACCESS KEY | Custom Value | The value obtained from above configuration. |