Configuring an Amazon AWS CloudTrail log source that uses Amazon Security Lake

You can collect AWS CloudTrail logs from multiple accounts or regions in an Amazon S3 bucket. IBM QRadar uses the Amazon AWS S3 REST API protocol to communicate with Amazon Security Lake, where QRadar obtains the CloudTrail logs.

Procedure

  1. Configure Amazon Security Lake to log Open Cybersecurity Schema Framework (OCSF) data in Parquet format to an S3 bucket. For more information, see Collecting data from custom sources.
    Note: The supported OCSF version of the DSM is OCSF 1.0RC2. The version OCSF 1.1 is not currently supported.
  2. Configure access to the OCSF data in Amazon Security Lake by using one of two methods.
    • To create a subscriber to provision the SQS queue and IAM role, see step 3.

      For more information about creating a subscriber, see Managing data access for Security Lake subscribers.

    • To manually configure the SQS queue and ObjectCreated notifications, see step 4.
  3. Create a subscriber to provision the SQS queue and IAM role.
    1. When you create the subscription, take note of the following values: SQS Queue URL, IAM Role ARN, and External ID.
    2. If you plan to access this subscription from a different account than where Amazon Security Lake is set up, you must provide that account ID to configure the trust relationship properly.
  4. Manually configure the SQS queue and ObjectCreated notifications.
    1. Configure an SQS queue to receive ObjectCreated notifications with either Amazon S3 Event Notifications or AWS EventBridge when new OCSF Parquet data is available in the Amazon Security Lake bucket in the folder you choose.
    2. Provision access keys with permission (either directly or with an IAM Assume Role) to access both the SQS queue and the bucket that contain the Amazon Security Lake data.
    For more information, see Create SQS and S3 object REST API.
  5. Configure a log source in QRadar to collect and parse the data.
    Tip: When new OCSF parquet data is available, a message that contains the bucket name and object key of the file with the data to be processed is sent to the SQS queue. QRadar then downloads and processes this file.

What to do next

Add a CloudTrail log source in QRadar. For more information, see Adding an Amazon AWS CloudTrail log source on the QRadar Console using an SQS queue.