Configuring Amazon AWS WAF to communicate with QRadar

Before you can add a log source in IBM QRadar, you must configure Amazon AWS WAF to send logs to an Amazon Kinesis Data Firehouse Delivery Stream that uses an Amazon AWS S3 bucket.

Before you begin

You must have an Amazon Kinesis Data Firehose Delivery Stream configured. For more information, see the Amazon documentation about Creating an Amazon Kinesis Data Firehose Delivery Stream (https://docs.aws.amazon.com/firehose/latest/dev/basic-create.html).The delivery stream must be linked to the Amazon AWS S3 Bucket.

About this task

Logging must be enabled to forward events to QRadar. If you don't have logging enabled for Amazon AWS WAF, complete the following steps.

Procedure

  1. Log in to your IAM console (https://console.aws.amazon.com/iam/).
  2. Click Services > WAF & Shield.
  3. From the WAF & Shield navigation menu, select Web ACLs.
  4. Click the Logging and metrics tab.
  5. To enable logging, click Enable logging.
  6. From the region list, select your region.
  7. From the Web ACLs list, select the Amazon Kinesis Data Firehose Delivery Stream that is linked to your Amazon AWS S3 bucket.
  8. Click Enable Logging.

What to do next

Add a log source in QRadar.