Configuring an Amazon AWS CloudTrail log source that uses an S3 bucket with a directory prefix

If you want to collect AWS CloudTrail logs from a single account and region in an Amazon S3 bucket, configure a log source on the QRadar Console so that Amazon AWS CloudTrail can communicate with QRadar by using the Amazon AWS S3 REST API protocol with a directory prefix.

About this task

If you have log sources in an S3 bucket from multiple regions or using multiple accounts, use the Amazon AWS S3 REST API protocol with an SQS queue instead of with a directory prefix.

Restriction: A log source using directory prefix can retrieve data from only one region and one account, so use a different log source for each region and account. Include the region folder name in the file path for the Directory Prefix value when you configure the log source.

Procedure

  1. Finding an S3 bucket name and directory prefix.
  2. Create an Amazon AWS Identity and Access Management (IAM) user and then apply the AmazonS3ReadOnlyAccess policy.
  3. Configure the security credentials for your AWS user account.
  4. Add an Amazon AWS CloudTrail log source on the QRadar Console using a directory prefix.