some file

Stream activity events to third-party SIEM systems

Security Information and Event Management (SIEM) systems play a critical role in network security by monitoring, detecting, and responding to security threats in real-time. By aggregating and analyzing activity across the network, SIEMs help identify anomalous patterns and potential breaches, providing a centralized view of security events.

NetBird provides an event streaming feature that allows you to stream network activity events to third-party SIEM systems, such as Datadog, Amazon S3, Amazon Data Firehose, and others.

This document provides step-by-step instructions and best practices for setting up NetBird activity event streaming integrations to different third-party platforms.

This feature is only available in the cloud version of NetBird.

Datadog

Before you start creating and configuring a Datadog event streaming integration, ensure that you have the following:

  • A Datadog account with the permissions to create and manage API keys. If you don't have the required permissions, ask your Datadog administrator to grant them to you.

Step 1: Create a Datdog API key

  • Navigate to the API Keys page
  • Click + New Key at the top
  • Give it a descriptive name like NetBird Event Streaming
  • Click Create Key
  • Copy the key. You will need this key when configuring an integration in NetBird.

Step 2: Create an event streaming integration in NetBird

event-streaming-integration

  • Enable and configure the Datadog integration

datadog-region-select

  • Then enter the API key you created in Step 1 and click Connect

datadog-api-key

Amazon S3

Before you start creating and configuring an Amazon S3 event streaming integration, ensure that you have the following:

  • An AWS account with the permissions to create and manage S3 buckets.
  • Permissions to create and manage IAM users, roles and policies.

If you don't have the required permissions, ask your AWS administrator to grant them to you.

Step 1: Create an S3 bucket

  • Navigate to the S3 dashboard
  • Select the correct region in the top menu
  • Click Create bucket
  • Give it a descriptive name like netbird-activity-events
  • (Optional) Change bucket configurations to your needs
  • Click Create bucket

Step 2: Create an IAM user

  • Navigate to the IAM Dashboard
  • Create an IAM User (for details see the Amazon Docs)
  • Create a custom policy with the following permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::netbird-activity-events/*"
        }
    ]
}
  • Attach the policy to the IAM user
  • Select the user and navigate to the Security credentials tab
  • Click Create access key
  • Select Third-party service and click Next
  • Give it a description
  • Store Access key and Secret access key in a secure place. You will need these when configuring an integration in NetBird.

Step 3: Create an event streaming integration in NetBird

event-streaming-integration

  • Enable and configure the Amazon S3 integration
  • First select the region your S3 bucket is created in

s3-region-select

  • Then enter the S3 bucket name you created in Step 1 and click Next

s3-bucket-name

  • Enter the Access key and Secret access key you created in Step 2 and click Connect

s3-iam-credentials

Amazon Data Firehose

Before you start creating and configuring an Amazon Data Firehose event streaming integration, ensure that you have the following:

  • An AWS account with the permissions to create and manage data firehose delivery streams.
  • Permissions to create and manage IAM users, roles and policies.

If you don't have the required permissions, ask your AWS administrator to grant them to you.

Step 1: Create a Data Firehose stream

  • Navigate to the Data Firehose Dashboard
  • Click Create Firehose stream
  • As source select Direct PUT and the desired destination
  • Give it a descriptive name like netbird-activity-events and configure the stream to your needs

Step 2: Create an IAM user

  • Navigate to the IAM Dashboard
  • Create an IAM User (for details see the Amazon Docs)
  • Create a custom policy with the following permissions (replace the resource with the ARN of your delivery stream):
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "firehose:PutRecord",
                "firehose:PutRecordBatch"
            ],
            "Resource": "arn:aws:firehose:region:accountID:deliverystream/netbird-event-streaming"
        }
    ]
}
  • Attach the policy to the IAM user
  • Select the user and navigate to the Security credentials tab
  • Click Create access key
  • Select Third-party service and click Next
  • Give it a description
  • Store Access key and Secret access key in a secure place. You will need these when configuring an integration in NetBird.

Step 3: Create an event streaming integration in NetBird

event-streaming-integration

  • Enable and configure the Amazon Data Firehose integration
  • First select the region your Firehose stream is created in

firehose-region-select

  • Then enter the Firehose stream name you created in Step 1 and click Next

firehose-stream-name

  • Enter the Access key and Secret access key you created in Step 2 and click Connect

firehose-iam-credentials