Configuring an Amazon CloudFront data source by using the Amazon Web Services connector and Kinesis Data Streams

Before you can add a data source that uses the Amazon Web Services connector in the QRadar® product, you must create a data stream and then create a real-time log configuration on the AWS Management Console.

Procedure

  1. On the AWS Management console, create a data stream. For more information, see Creating a stream via the AWS Management Console (https://docs.aws.amazon.com/streams/latest/dev/how-do-i-create-a-stream.html)
  2. On the AWS Management console, create real-time logs. For more information, see Real-time logs (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html)
  3. Create a real-time log configuration on the AWS Management Console (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html#create-real-time-log-config.html)
    Important: Real-time log configuration requires all 40 fields to be configured. For more information, see Understanding real-time log configurations (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html#understand-real-time-log-config.html).
    The position/index number for the following fields must be as documented in the Amazon AWS Fields documentation (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/real-time-logs.html#understand-real-time-log-config-fields.html):
    • timestamp
    • c-ip
    • sc-status
    • x-edge
    • x-edge-result-type
    • c-port
    • x-edge-detailed-result-type
    For example, the c-ip position, is in the 2 position and the x-edge-detailed-result-type is in the 33rd position.
  4. Add an Amazon CloudFront data source in the QRadar product. For more information, see Adding an Amazon CloudFront log source by using the Amazon Web Services connectorprotocol and Kinesis Data Streams.