Stream activity events to third-party SIEM systems
Security Information and Event Management (SIEM) systems play a critical role in network security by monitoring, detecting, and responding to security threats in real-time. By aggregating and analyzing activity across the network, SIEMs help identify anomalous patterns and potential breaches, providing a centralized view of security events.
NetBird provides an event streaming feature that allows you to stream network activity events to third-party SIEM systems, such as Datadog, Amazon S3, Amazon Data Firehose, and others.
This document provides step-by-step instructions and best practices for setting up NetBird activity event streaming integrations to different third-party platforms.
This feature is only available in the cloud version of NetBird.
Datadog
Before you start creating and configuring a Datadog event streaming integration, ensure that you have the following:
- A Datadog account with the permissions to create and manage API keys. If you don't have the required permissions, ask your Datadog administrator to grant them to you.
Step 1: Create a Datdog API key
- Navigate to the API Keys page
- Click
+ New Key
at the top - Give it a descriptive name like
NetBird Event Streaming
- Click
Create Key
- Copy the key. You will need this key when configuring an integration in NetBird.
Step 2: Create an event streaming integration in NetBird
- Navigate to the Integrations » Event Streaming tab in the NetBird dashboard
- Enable and configure the Datadog integration
- First select the region of your Datadog account (for more details see Datadog Documentation)
- Then enter the API key you created in Step 1 and click
Connect
Amazon S3
Before you start creating and configuring an Amazon S3 event streaming integration, ensure that you have the following:
- An AWS account with the permissions to create and manage S3 buckets.
- Permissions to create and manage IAM users, roles and policies.
If you don't have the required permissions, ask your AWS administrator to grant them to you.
Step 1: Create an S3 bucket
- Navigate to the S3 dashboard
- Select the correct region in the top menu
- Click
Create bucket
- Give it a descriptive name like
netbird-activity-events
- (Optional) Change bucket configurations to your needs
- Click
Create bucket
Step 2: Create an IAM user
- Navigate to the IAM Dashboard
- Create an IAM User (for details see the Amazon Docs)
- Create a custom policy with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::netbird-activity-events/*"
}
]
}
- Attach the policy to the IAM user
- Select the user and navigate to the
Security credentials
tab - Click
Create access key
- Select
Third-party service
and clickNext
- Give it a description
- Store
Access key
andSecret access key
in a secure place. You will need these when configuring an integration in NetBird.
Step 3: Create an event streaming integration in NetBird
- Navigate to the Integrations » Event Streaming tab in the NetBird dashboard
- Enable and configure the
Amazon S3
integration - First select the region your S3 bucket is created in
- Then enter the S3 bucket name you created in Step 1 and click
Next
- Enter the
Access key
andSecret access key
you created in Step 2 and clickConnect
Amazon Data Firehose
Before you start creating and configuring an Amazon Data Firehose event streaming integration, ensure that you have the following:
- An AWS account with the permissions to create and manage data firehose delivery streams.
- Permissions to create and manage IAM users, roles and policies.
If you don't have the required permissions, ask your AWS administrator to grant them to you.
Step 1: Create a Data Firehose stream
- Navigate to the Data Firehose Dashboard
- Click
Create Firehose stream
- As source select
Direct PUT
and the desired destination - Give it a descriptive name like
netbird-activity-events
and configure the stream to your needs
Step 2: Create an IAM user
- Navigate to the IAM Dashboard
- Create an IAM User (for details see the Amazon Docs)
- Create a custom policy with the following permissions (replace the resource with the ARN of your delivery stream):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch"
],
"Resource": "arn:aws:firehose:region:accountID:deliverystream/netbird-event-streaming"
}
]
}
- Attach the policy to the IAM user
- Select the user and navigate to the
Security credentials
tab - Click
Create access key
- Select
Third-party service
and clickNext
- Give it a description
- Store
Access key
andSecret access key
in a secure place. You will need these when configuring an integration in NetBird.
Step 3: Create an event streaming integration in NetBird
- Navigate to the Integrations » Event Streaming tab in the NetBird dashboard
- Enable and configure the
Amazon Data Firehose
integration - First select the region your Firehose stream is created in
- Then enter the Firehose stream name you created in Step 1 and click
Next
- Enter the
Access key
andSecret access key
you created in Step 2 and clickConnect