Lacework recommends this alert channel workflow to forward Lacework alerts to your Elastic stack: Send Lacework alerts to SQS via AWS CloudWatch and then retrieve the alerts from SQS via a plugin from Elastic.
Create a Lacework Alert Channel for AWS CloudWatch
Follow the steps described in AWS CloudWatch to forward alerts from Lacework to CloudWatch.
Follow these steps to add an event source mapping for an Amazon SQS queue and send events via trigger to it. See AWS documentation for details.
- Open the Lambda console Functions page.
- Choose a function.
- Under Add triggers, choose SQS.
- Under Configure triggers, configure the event source.
- In the SQS queue field, specify the source queue.
- In the Batch size field, specify the maximum number of items to read from the queue and send to your function, in a single invocation.
- In the Enabled field, clear the checkbox to disable the event source.
- Choose Add.
- Choose Save.
Configure the Elastic Stack
See Elastic documentation to configure your Elastic stack to retrieve events from SQS with sqs-input plugin.