Configuring an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol and Kinesis Data Streams

If you want to collect AWS CloudTrail logs from Amazon Kinesis Data Streams, configure a log source on the QRadar Console so that Amazon AWS CloudTrail can communicate with QRadar by using the Amazon Web Services protocol.

Procedure

  1. Follow the procedures in the AWS online documentation Sending Events to CloudWatch Logs (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html) to configure CloudTrail to deliver the logs in a log group of the AWS CloudWatch Logs.
  2. Create CloudWatch Logs destinations and a CloudWatch Logs subscription filter.

    For more information about CloudWatch Logs Destinations and Subscriptions, see Cross-Account Log Data Sharing with Subscriptions.

    1. Create a CloudWatch Logs destination that points to a destination Kinesis Data Stream.

      Only one CloudWatch Logs destination is required per region and the destination Kinesis Data Stream can be in any region.

    2. Create a CloudWatch Logs subscription filter with a blank filter pattern to subscribe the destination to the CloudWatch Logs log group and match all events.
    The subscription filter is now associated with a Cloud Watch Logs log group that contains AWS CloudTrail logs, and delivers those logs to a Kineses Data Stream.
  3. Add an Amazon AWS CloudTrail log source by using the Amazon Web Services protocol and Kinesis Data Streams.