Configuring an Amazon GuardDuty data source by using the Amazon AWS S3 REST API connector
If you want to collect Amazon GuardDuty findings when you use an AWS S3 Bucket, add a data source in the QRadar® product by using the Amazon AWS S3 REST API connector.
Procedure
- Configure Amazon GuardDuty to forward alerts to an AWS S3 Bucket.
-
Use the following table to set the parameters for an Amazon GuarDuty data source that uses
the Amazon AWS S3 REST API connector.
Table 1. Amazon AWS S3 REST API connector data source parameters Parameter Description Data source type Amazon GuardDuty Connector type Amazon AWS S3 REST API Authentication Method - Access Key ID / Secret Key
- Standard authentication that can be used from anywhere.
- For more information about configuring security credentials, see Configuring security credentials for your AWS user account.
- EC2 Instance IAM Role
- If your QRadar managed host is running in an AWS EC2 instance, choose this option to use
the IAM Role from the metadata that is assigned to the instance for
authentication. No keys are required. Important: This method works only for managed hosts that are running within an AWS EC2 container.
Access Key ID If you selected Access Key ID / Secret Key for the Authentication Method, configure this parameter.
The Access Key ID that was generated when you configured the security credentials for your AWS user account.
For more information about configuring the security credentials, see Configuring security credentials for your AWS user account.
Secret Key If you selected Access Key ID / Secret Key for the Authentication Method, configure this parameter.
The Secret Key that was generated when you configured the security credentials for your AWS user account. This value is also the Secret Key ID that is used to access the AWS S3 bucket.
For more information about configuring the security credentials. see Configuring security credentials for your AWS user account.
S3 Collection Method Select one of the following collection methods. - SQS Event Notifications
- Use a Specific Prefix - Single Account/Region Only
SQS Queue URL If you selected SQS Event Notifications for the S3 Collection Method, configure this parameter.
This field uses the full URL of the SWS setup, beginning with https://, to receive notifications for ObjectCreated events from S3. For example, https://sqs.us-east-2.amazonaws.com/1234567890123/CloudTrail_SQS_QRadar
For more information, see the Configuring Amazon S3 event notifications link to public site website (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
To ensure that all data is processed and messages are deleted from the queue after the files are successfully processed, this configuration must be the only consumer of this queue.
Bucket Name If you selected Use a Specific Prefix - Single Account/Region Only for the S3 Collection Method, configure this parameter.
The name of the AWS S3 bucket where the log files are stored.
Directory Prefix If you selected Use a Specific Prefix - Single Account/Region Only for the S3 Collection Method, configure this parameter.
The root directory location on the AWS S3 bucket from where the CloudTrail logs are retrieved; for example, AWSLogs/<AccountNumber>/CloudTrail/<RegionName>/
To pull files from the root directory of a bucket, you must use a forward slash (/) in the Directory Prefix file path.
Tip:- Changing the Directory Prefix value clears the persisted file marker. All files that match the new prefix are downloaded in the next pull.
- The Directory Prefix file path cannot begin with a forward slash (/) unless only the forward slash is used to collect data from the root of the bucket.
- If the Directory Prefix file path is used to specify folders, you must not begin the file path with a forward slash (for example, use folder1/folder2 instead).
Region Name The region that the SQS Queue or the S3 Bucket is in. Example: us-east-1, eu-west-1, ap-northeast-3
Event Format Select LINEBYLINE. The log files that are collected contain one record per line. Compression with gzip (.gz or .gzip) and zip (.zip) is supported.
Use as a Gateway Log Source Do not enable this option. Use Proxy If the QRadar product accesses the Amazon Web Service by using a proxy, enable Use Proxy.
If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.
If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.
Automatically Acquire Server Certificate If you select Yes from the list, the QRadar product downloads the certificate and begins trusting the target server. This function can be used to initialize a newly created log source and obtain certificates initially, or to replace expired certificates.
EPS Throttle The maximum number of events per second (EPS) that this log source can exceed. The default is 5000. If EPS Throttle is left blank, no limit is imposed by the QRadar product. Ensure that the EPS Throttle value is higher than the incoming rate or data processing might fall behind.