Configuring an Amazon GuardDuty log source by using the Amazon AWS S3 REST API protocol

If you want to collect Amazon GuardDuty findings when you use an AWS S3 Bucket, add a log source in IBM QRadar by using the Amazon AWS S3 REST API protocol.

Procedure

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM® Support Website onto your QRadar Console:
    • Protocol Common RPM
    • Amazon AWS REST API Protocol RPM
    • DSMCommon RPM
    • Amazon GuardDuty DSM RPM
  2. Configure Amazon GuardDuty to forward events to an AWS S3 Bucket.
  3. Use the following table to set the parameters for an Amazon AWS CloudTrail log source that uses the Amazon AWS S3 REST API protocol.
    Table 1. Amazon AWS S3 REST API protocol log source parameters
    Parameter Description
    Log Source Type Amazon GuardDuty
    Protocol Configuration Amazon AWS S3 REST API
    Authentication Method
    Access Key ID / Secret Key
    Standard authentication that can be used from anywhere.
    For more information about configuring security credentials, see Configuring security credentials for your AWS user account.
    EC2 Instance IAM Role
    If your QRadar managed host is running in an AWS EC2 instance, choose this option to use the IAM Role from the metadata that is assigned to the instance for authentication. No keys are required.
    Important: This method works only for managed hosts that are running within an AWS EC2 container.
    Access Key ID

    If you selected Access Key ID / Secret Key for the Authentication Method, configure this parameter.

    The Access Key ID that was generated when you configured the security credentials for your AWS user account.

    For more information about configuring the security credentials, see Configuring security credentials for your AWS user account.

    Secret Key

    If you selected Access Key ID / Secret Key for the Authentication Method, configure this parameter.

    The Secret Key that was generated when you configured the security credentials for your AWS user account. This value is also the Secret Key ID that is used to access the AWS S3 bucket.

    For more information about configuring the security credentials. see Configuring security credentials for your AWS user account.

    S3 Collection Method Select one of the following collection methods.
    • SQS Event Notifications
    • Use a Specific Prefix - Single Account/Region Only
    SQS Queue URL

    If you selected SQS Event Notifications for the S3 Collection Method, configure this parameter.

    This field uses the full url of the SWS setup, beginning with https://, to receive notifications for ObjectCreate events from S3. For example, https://sqs.us-east-2.amazonaws.com/1234567890123/CloudTrail_SQS_QRadar

    For more information, see the Configuring Amazon S3 event notifications link to public site website (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)

    To ensure that all data is processed and messages are deleted from the queue after the files are successfully processed, this configuration must be the only consumer of this queue.

    Bucket Name

    If you selected Use a Specific Prefix - Single Account/Region Only for the S3 Collection Method, configure this parameter.

    The name of the AWS S3 bucket where the log files are stored.

    Directory Prefix

    If you selected Use a Specific Prefix - Single Account/Region Only for the S3 Collection Method, configure this parameter.

    The root directory location on the AWS S3 bucket from where the CloudTrail logs are retrieved; for example, AWSLogs/<AccountNumber>/CloudTrail/<RegionName>/

    To pull files from the root directory of a bucket, you must use a forward slash (/) in the Directory Prefix file path.

    Tip:
    • Changing the Directory Prefix value clears the persisted file marker. All files that match the new prefix are downloaded in the next pull.
    • The Directory Prefix file path cannot begin with a forward slash (/) unless only the forward slash is used to collect data from the root of the bucket.
    • If the Directory Prefix file path is used to specify folders, you must not begin the file path with a forward slash (for example, use folder1/folder2 instead).
    Region Name The region that the SQS Queue or the S3 Bucket is in.

    Example: us-east-1, eu-west-1, ap-northeast-3

    Event Format Select LINEBYLINE. The log files that are collected contain one record per line.

    Compression with gzip (.gz or .gzip) and zip (.zip) is supported.

    Use as a Gateway Log Source Do not enable this option.
    Use Proxy

    If QRadar accesses the Amazon Web Service by using a proxy, enable Use Proxy.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

    Automatically Acquire Server Certificate If you select Yes from the list, QRadar downloads the certificate and begins trusting the target server.

    This function can be used to initialize a newly created log source and obtain certificates initially, or to replace expired certificates.

    EPS Throttle

    The maximum number of events per second that QRadar ingests.

    If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

    The default is 5000.