Creating ObjectCreated notifications
Configure ObjectCreated notifications for the folders that you want to monitor in the bucket.
Procedure
- Log in to the AWS Management Console as an administrator.
- Click Services, go to S3, and then select a bucket.
- Click the Properties tab, and in the Events
pane, click Add notification. Configure the parameters for the new
event. The following table shows an example of an ObjectCreated notification parameter configuration:
Table 1. Example: New ObjectCreated notification parameter configuration Parameter Value Name Type a name of your choosing. Events Select All object create events. Prefix AWSLogs/ Tip: You can choose a prefix that contains the data that you want to find, depending on where the data is located and what data that you want to go to the queue. For example, AWSLogs/, CustomPrefix/AWSLogs/, AWSLogs/123456789012/.Suffix json.gz Send to SQS queue Tip: You can send the data from different folders to the same or different queues to suit your collection or QRadar tenant needs. Choose one or more of the following methods:- Different folders that go to different queues
- Different folders from different buckets that go to the same queue
- Everything from a single bucket that goes to a single queue
- Everything from multiple buckets that go to a single queue
SQS The Queue Name from step 4 of Creating the SQS queue that is used to receive the ObjectCreated notifications. Picture: © 2019 Amazon.com Inc. or its subsidiaries. All Rights Reserved.
In the example in figure 1 of a parameter configuration, notifications are created for AWSLogs/ from the root of the bucket. When you use this configuration, All ObjectCreated events trigger a notification. If there are multiple accounts and regions in the bucket, everything gets processed. In this example, json.gz is used. This file type can change depending on the data that you are collecting. Depending on the content in your bucket, you can omit the extension or choose an extension that matches the data you are looking for in the folders where you have events set up.
After approximately 5 minutes, the queue that contains data displays. In the Messages Available column, you can view the number of messages.Picture: © 2019 Amazon.com Inc. or its subsidiaries. All Rights Reserved.
- Click Services, then go to Simple Queue Services.
- Right-click the Queue Name from step 4 of Creating the
SQS queue that is used to receive the ObjectCreated notifications, then select
View/Delete Messages to view the messages.
Picture: © 2019 Amazon.com Inc. or its subsidiaries. All Rights Reserved.
Example: Sample message{ "Records":[ { "eventVersion":"2.1", "eventSource":"aws:s3", "awsRegion":"us-east-2", "eventTime":"2018-12-19T01:51:03.251Z", "eventName":"ObjectCreated:Put", "userIdentity":{ "principalId":"AWS:AIDAIZLCFC5TZD36YHNZY" }, "requestParameters":{ "sourceIPAddress":"52.46.82.38" }, "responseElements":{ "x-amz-request-id":"6C05F1340AA50D21", "x-amz-id-2":"9e8KovdAUJwmYu1qnEv+urrO8T0vQ+UOpkPnFYLE6agmJSn745 /T3/tVs0Low/vXonTdATvW23M=" }, "s3":{ "s3SchemaVersion":"1.0", "configurationId":"test_SQS_Notification_1", "bucket":{ "name":"myBucketName", "ownerIdentity":{ "principalId":"A2SGQBYRFBZET" }, "arn":"arn:aws:s3:::myBucketName" }, "object":{ "key":"AWSLogs/123456789012/CloudTTrail/eu-west- 3/2018/12/19/123456789012_CloudTrail_eu-west-3_TestAccountTrail _us-east-2_20181219T014838Z.json.gz", "size":713, "eTag":"1ff1209e4140b4ff7a9d2b922f57f486", "sequencer":"005C19A40717D99642" } } } ] }
Tip: In the key value, your DSM name displays. - Click Services, then navigate to IAM.
- Set a User or Role permission to access the
SQS queue and for permission to download from the target bucket. The user or user role must have
permission to read and delete from the SQS queue. For information about adding, managing and
changing permissions for IAM users, see the IAM Users documentation. After QRadar reads the notification, and
then downloads and processes the target file, the message must be deleted from the queue.
Sample Policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sqs:DeleteMessage", "sqs:ReceiveMessage", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<bucket_name>/AWSLogs/*", "arn:aws:sqs:us-east-2:<AWS_account_number>:<queue_name>" ] } ] }
You can add multiple buckets to the S3 queue. To ensure that all objects are accessed, you must have a trailing /* at the end of the folder path that you added.
You can add this policy directly to a user, a user role, or you can create a minimal access user with sts:AssumeRole permissions only. When you configure a log source in QRadar, configure the assume Role ARN parameter for QRadar to assume the role. To ensure that all files waiting to be processed in a single run (emptying the queue) can finish without retries, use the default value of 1 hour for the API Session Duration parameter.
When you use assumed roles, ensure that the ARN of the user that is assuming the role is in the Trusted Entities for that role. You can view the trusted entities that can assume the rule from the Trust Relationship tab in IAM Role. In addition, the user must have permission to assume roles in that (or any) account. The following examples show a sample trust policy:- Allow all IAM users within a specific AWS account to assume a role
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:root" }, "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/ROLE_NAME" } ] }
- Allow a specific user to assume a role
-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/USERNAME" }, "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::YOUR_ACCOUNT_ID:role/ROLE_NAME" }
The following image example shows a sample Amazon AWS CloudTrail log source configuration in QRadar.
Tip: Use the Amazon AWS S3 REST API log source parameter values for your DSM when you configure your log source.