Adding an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol and CloudWatch Logs

If you want to collect AWS CloudTrail logs from Amazon CloudWatch logs, add a log source on the QRadar® Console so that Amazon AWS CloudTrail can communicate with QRadar by using the Amazon Web Services protocol.

Procedure

  1. Use the following table describes the parameters that require specific values to collect audit events from Amazon AWS CloudTrail by using the Amazon Web Services protocol:
    Table 1. Amazon Web Services log source parameters for AWS CloudWatch Logs
    Parameter Description
    Protocol Configuration Select Amazon Web Services from the Protocol Configuration list.
    Authentication Method
    Access Key ID/Secret Key
    Standard authentication that can be used from anywhere.
    EC2 Instance IAM Role
    If your QRadar managed host is running in an AWS EC2 instance, choosing this option uses the IAM role from the metadata that is assigned to the instance for authentication. No keys are required. This method works only for managed hosts that are running within an AWS EC2 container.
    Access Key

    The Access Key ID that was generated when you configured the security credentials for your AWS user account.

    If you selected Access Key ID / Secret Key or Assume IAM Role, the Access Key parameter is displayed.
    Secret Key

    The Secret Key that was generated when you configured the security credentials for your AWS user account.

    If you selected Access Key ID / Secret Key or Assume IAM Role, the Secret Key parameter is displayed.
    Assume an IAM Role Enable this option by authenticating with an Access Key or EC2 instance IAM Role. Then, you can temporarily assume an IAM Role for access.
    Assume Role ARN The full ARN of the role to assume. It must begin with arn: and can't contain any leading or trailing spaces, or spaces within the ARN.

    If you enabled Assume an IAM Role, the Assume Role ARN parameter is displayed.
    Assume Role Session Name The session name of the role to assume. The default is QRadarAWSSession. Leave as the default if you don't need to change it. This parameter can contain only upper and lowercase alphanumeric characters, underscores, or any of the following characters: =,.@-

    If you enabled Assume an IAM Role, the Assume Role Session Name parameter is displayed.
    Assume Role External ID

    Assume Role External ID is an optional identifier that is required to assume a role in a different account.

    If the account administrator, to which the role belongs, provides you with an external ID, then insert that value in the Assume Role External ID parameter.

    This value can either be a string, a passphrase, a GUID, or an account number. For more information, see AWS documentation Using an external ID for third-party access.
    Regions Toggle each region that is associated with the Amazon Web Service that you want to collect logs from.
    AWS Service From the AWS Service list, select CloudWatch Logs.
    Log Group
    The name of the log group in Amazon CloudWatch where you want to collect logs from.
    Tip: A single log source collects CloudWatch Logs from one log group at a time. If you want to collect logs from multiple log groups, create a separate log source for each log group.
    Enable CloudWatch Advanced Options Enable the following optional advanced configuration values. Advanced option values are only used when this option is chosen; otherwise, the default values are used.
    Log Stream
    The name of the log stream within a log group. If you want to collect logs from all log streams within a log group, leave this field blank.
    Filter Pattern
    Type a pattern for filtering the collected events. This pattern is not a regex filter. Only the events that contain the exact value that you specified are collected from CloudWatch Logs. If you type ACCEPT as the Filter Pattern value, only the events that contain the word ACCEPT are collected, as shown in the following example.
    {LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}
    Event Delay
    Delay in seconds for collecting data.
    Other Region(s)
    Deprecated. Use Regions instead.
    Extract Original Event

    Forwards only the original event that was added to the CloudWatch Logs.

    CloudWatch logs wrap the events that they receive with extra metadata. Select this option if you want to collect only the original event that was sent to AWS without the additional stream metadata through CloudWatch Logs.

    The original event is the value for the message key that is extracted from the CloudWatch log. The following CloudWatch Logs event example shows the original event that is extracted from CloudWatch Logs in highlighted text:

    {LogStreamName: 123456786_CloudTrail_us-east-2,
Timestamp: 1505744407363, Message: 
{"eventVersion":"1.05","userIdentity":{"type":
"IAMUser","principalId":"AAAABBBCCCDDDBBBCCC",
"arn":"arn:aws:iam::1234567890:user/<username>",
"accountId":"1234567890","accessKeyId":
"AAAABBBBCCCCDDDD","userName":"User-Name",
"sessionContext":{"attributes":
{"mfaAuthenticated":"false","creationDate":
"2017-09-18T13:22:10Z"}},"invokedBy":
"signin.amazonaws.com"},"eventTime":
"2017-09-18T14:10:15Z","eventSource":
"cloudtrail.amazonaws.com","eventName":
"DescribeTrails","awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.1","userAgent":
"signin.amazonaws.com","requestParameters":
{"includeShadowTrails":false,"trailNameList":
[]},"responseElements":null,"requestID":
"11b1a00-7a7a-11a1-1a11-44a4aaa1a","eventID":
"a4914e00-1111-491d-bbbb-a0dd3845b302",
"eventType":"AwsApiCall","recipientAccountId":
"1234567890"},IngestionTime: 1505744407506,
EventId: 335792223611111122479126672222222513333}
    Use As A Gateway Log Source

    Select this option for the collected events to flow through the QRadar Traffic Analysis engine and for QRadar to automatically detect one or more log sources.

    When you select this option, the Log Source Identifier Pattern can optionally be used to define a custom Log Source Identifier for events that are being processed.
    Log Source Identifier Pattern

    If you selected Use As A Gateway Log Source, you can define a custom log source identifier for events that are being processed and for log sources to be automatically discovered when applicable. If you don't configure the Log Source Identifier Pattern, QRadar receives events as unknown generic log sources.

    Use key-value pairs to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

    Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier is displayed.

    The following examples show multiple key-value pair functions.
    Patterns
    VPC=\sREJECT\sFAILURE
    $1=\s(REJECT)\sOK
    VPC-$1-$2=\s(ACCEPT)\s(OK)
    Events
    {LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}
    Resulting custom log source identifier
    VPC-ACCEPT-OK
    Use Predictive Parsing If you enable this parameter, an algorithm extracts log source identifier patterns from events without running the regex for every event, which increases the parsing speed.
    Tip: In rare circumstances, the algorithm can make incorrect predictions. Enable predictive parsing only for log source types that you expect to receive high event rates and require faster parsing.
    Use Proxy

    If QRadar accesses the Amazon Web Service by using a proxy, select this option.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, configure the Proxy IP or Hostname field.
    EPS Throttle

    The upper limit for the maximum number of events per second (EPS). The default is 5000.

    If the Use As A Gateway Log Source option is selected, this value is optional.

    If the EPS Throttle parameter value is left blank, no EPS limit is imposed by QRadar.
  2. To verify that QRadar is configured correctly, review the following table to see an example of a parsed event message.

    The actual CloudTrail logs are wrapped in a CloudWatch logs JSON payload:

    Table 2. Amazon CloudTrail Logs sample message supported by the Amazon AWS CloudTrail DSM
    Event name Low-level category Sample log message
    Describe Trails Read Activity Attempted 
    {LogStreamName: 1234567890_CloudTrail_us
-east-2,Timestamp: 1505744407363,Message: 
{"eventVersion":"1.05","userIdentity":{"type"
:"IAMUser","principalId":"AIDAIEGANDWTHAAUMATYA",
"arn":"arn:aws:iam::1234567890:user/QRadar-ITeam",
"accountId":"1234567890","accessKeyId":
"AAAABBBBCCCCDDDD","userName":"QRadar-ITeam",
"sessionContext":{"attributes":{"mfaAuthenticated":
"false","creationDate":"2017-09-18T13:22:10Z"}},
"invokedBy":"signin.amazonaws.com"},"eventTime":
"2017-09-18T14:10:15Z","eventSource":
"cloudtrail.amazonaws.com","eventName":
"DescribeTrails","awsRegion":"us-east-1",
"sourceIPAddress":"127.0.0.1","userAgent":
"signin.amazonaws.com","requestParameters":
{"includeShadowTrails":false,"trailNameList":
[]},"responseElements":null,"requestID":
"17b7a04c-99cca-11a1-9d83-43d5bce2d2fc",
"eventID":"a4444e00-55e5-4444-bbbb-a0dd3845b302",
"eventType":"AwsApiCall","recipientAccountId":
"1234567890"},IngestionTime: 1505744407506,
EventId: 33579222362711111111111111222222222222}