Amazon AWS S3 REST API log source parameters for Amazon AWS WAF

If QRadar does not automatically detect the log source, add an Amazon AWS WAF log source on the QRadar Console by using the Amazon AWS S3 REST API protocol.

When you use the Amazon AWS S3 REST API protocol, there are specific parameters that you must configure.

The following table describes the parameters that require specific values to collect Amazon AWS S3 REST API events from Amazon AWS WAF:
Table 1. Amazon AWS S3 REST API log source parameters for the Amazon AWS WAF DSM
Parameter Value
Log Source type Amazon AWS WAF
Protocol Configuration Amazon AWS S3 REST API
Log Source Identifier

Type a unique name for the log source.

The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Amazon AWS WAF log source that is configured, you might want to identify the first log source as awswaf1, the second log source as awswaf2, and the third log source as awswaf3.

Authentication Method Access Key ID / Secret Key
Access Key The Access key ID that you created when you configured your AWS security credentials. For more information, see Configuring security credentials for your AWS user account.
Secret Key The Secret access key that you created when you configured your AWS security credentials. For more information, see Configuring security credentials for your AWS user account.
S3 Collection Method SQS Event Notifications
SQS Queue URL The full URL that begins with https://, for the SQS Queue that is set up to receive notifications for ObjectCreated events from S3.
Region Name The region that is assigned to your Amazon AWS WAF.

Example: us-east-2

Event Format LINEBYLINE

For a complete list of Amazon AWS S3 REST API protocol parameters and their values, see Amazon AWS S3 REST API protocol configuration options.