Security Hub gives access to data already present on the machine – this is particularly convenient if your server acts as a log sink, or a controller on a larger industrial system.
Local access is only enabled if the server is configured with the allowed_folders directive. This is a list of (rooted) folders that then visit in the user interface:
allowed_folders = ["/var/log","/srv/events"]
In the data source tab, select the “Local File” option
In the new entry, put the path, name, and possibly description of the file to access
Use the test button on the right to check if access is possible – in this case, a red button and an error message “access denied” indicates that the access was denied.
Once this is done, head to the main screen, create a new playbook, select “Explore” and you should see the new source created:
Click on the title of the newly added source, and you should be able to see the data: