Configuring Amazon GuardDuty to forward events to an AWS S3 Bucket
To collect events in QRadar®, you must configure Amazon GuardDuty to forward events to an AWS S3 Bucket.
- Log in to the AWS Management Console as an administrator.
- On the menu bar, type GuardDuty in the search field.
- From the Navigation menu, select Findings.
- From the Frequency for updated findings list, select Update CWE and S3 every 15 minutes.
- In the S3 bucket section, click Configure now.
- Click one of the following S3 bucket options:
- Existing bucket - In your account
- Existing bucket - In another account
- New bucket - Create a new bucket
- From the Choose a bucket list, select your S3 bucket.
- Optional: Enter a path prefix in the Log file prefix field. A new folder is created in the bucket with the path prefix name that you specified. The path that follows the field is updated to reflect the path to exported findings in the bucket.
- Select one of the following KMS encryption options:
- Select Choose key from your account, and then from the Key alias list, select the key that you changed the policy for.
- Select Choose key from another account, and then type the full ARN to the key that you changed the policy for.
The key that you select must be in the same region as the S3 bucket. For more information about how to find the key ARN, go to Finding the key ID and ARN on the Amazon AWS website (https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html).
For more information about key policies, go to Using key policies in AWS KMS on the Amazon AWS website (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
- Click Save. When you generate findings in GuardDuty, they are sent to your S3 Bucket.