You can collect AWS CloudTrail logs from multiple accounts or regions in an Amazon S3
bucket. IBM
QRadar uses the
Amazon AWS S3 REST API protocol to communicate with Amazon Security Lake, where QRadar obtains the CloudTrail
logs.
Procedure
- Configure Amazon Security Lake to log Open Cybersecurity Schema Framework (OCSF) data in
Parquet format to an S3 bucket. For more information, see Collecting data from custom sources.
Note: The supported OCSF version of the DSM is OCSF 1.0RC2. The version OCSF 1.1 is not currently
supported.
- Configure access to the OCSF data in Amazon Security Lake by using one of two
methods.
- Create a subscriber to provision the SQS queue and IAM role.
- When you create the subscription, take note of the following values: SQS
Queue URL, IAM Role ARN, and External ID.
- If you plan to access this subscription from a different account than where Amazon
Security Lake is set up, you must provide that account ID to configure the trust relationship
properly.
- Manually configure the SQS queue and ObjectCreated notifications.
- Configure an SQS queue to receive ObjectCreated notifications with either Amazon S3 Event Notifications or AWS EventBridge when new OCSF Parquet data is available in the Amazon
Security Lake bucket in the folder you choose.
- Provision access keys with permission (either directly or with an IAM
Assume Role) to access both the SQS queue and the bucket that contain the Amazon
Security Lake data.
- Configure a log source in QRadar to collect and parse the
data.
Tip: When new OCSF parquet data is available, a message that contains the bucket name
and object key of the file with the data to be processed is sent to the SQS queue. QRadar then downloads and
processes this file.