To forward Lacework Alerts to a SIEM, you will first need to create an AWS CloudWatch Alert channel as described here:

https://docs.lacework.net/onboarding/amazon-event-bridge

Once you’ve created the alert channel, Lacework alerts will now appear in your SQS queue. Now you will need a 3rd party tool that can read the Lacework alerts from your SQS queue and forward them to your SIEM. Refer to your SIEM documentation for which tools are supported for reading from a SQS queue and writing alerts to your SIEM. Examples of tools that may work with your SIEM are Logstash or Fluentd. 

Using Logstash as an example, this is a configuration that would read from a SQS queue:

input {
    sqs {
       access_key_id => "XXXXXXX"
       secret_access_key => "XXXXX"
       queue => "Lacework_CloudWatch_Alerts"
     }
}

output {
    // supported configuration for your SIEM
}

Each SIEM operates differently,  so refer to your SIEM’s documentation for the exact tools and configuration required. Also at this time the S3 Channel is only for the S3 Data export. What is exported with the S3 Data export is described below:

https://docs.lacework.net/console/s3-data-export-views-and-folder-structure

The S3 data export generates gzipped files and the alerts will be in one JSON file called “Alert_details.json.gz” for that time period. It is not suitable as a source for sending alerts to a SIEM. So this is why using a SQS queue is the recommended method.