Creating and editing CloudTrail log sources

See an overview of CloudTrails that you have across all Amazon AWS accounts, see which QRadar® CloudTrail log sources are currently set up, and view or edit these log sources.

Before you begin

To modify log source information, ask your administrator to grant you the "Manage Log Sources" permission.

Procedure

  1. On the Utilities for configuring AWS services for QRadar tab, click Log Sources > CloudTrail Logs.
  2. Optional: Filter the log sources by the degree to which regions are covered, or by the warnings or errors for each log source. Access the Filters sidebar by clicking the filter icon in the upper left of the view page.
  3. To create a log source, click Create in the QRadar Log Source column.
    1. Select how you want QRadar to collect data from AWS (Simple Queue Service (SQS) queue or S3 by using REST API with a directory prefix method), and click Next.
      If you choose SQS, the option for using an existing SQS queue is the default selection. To create a new SQS queue, go to step 4.
    2. Create the log source and click Submit.
  4. To create a new SQS queue from the Create Log Source page, use the following steps:
    1. Follow the set of linked instructions in IBM Knowledge Center.
    2. On the Create Log Source page, click Refresh, choose the newly created SQS queue URL, and then click Next.
    3. Create the log source and then click Submit.
  5. Optional: To edit a log source, click the link of the log source name in the QRadar Log Source column, click Edit, and complete the configuration window that opens. Click Submit when you're finished.
  6. Optional: To delete a log source, click the link of the log source name in the QRadar Log Source column, and then click Delete in the Log Source Summary.
    You cannot undo the action.