To collect alerts in the QRadar® product, you must configure Amazon
GuardDuty to forward alerts to an AWS S3 Bucket.
Procedure
-
Log in to the AWS Management Console as an administrator.
- On the menu bar, type GuardDuty in the search field.
- From the Navigation menu, select Findings.
- From the Frequency for updated findings list, select
Update CWE and S3 every 15 minutes.
- In the S3 bucket section, click Configure now.
- Click one of the following S3 bucket options:
- Existing bucket - In your account
- Existing bucket - In another account
- New bucket - Create a new bucket
- From the Choose a bucket list, select your S3 bucket.
- Optional: Enter a path prefix in the Log file prefix
field. A new folder is created in the bucket with the path prefix name that you specified. The path
that follows the field is updated to reflect the path to exported findings in the
bucket.
- Select one of the following KMS encryption options:
- Click Save.
When you generate findings in
GuardDuty, they are sent to your S3 Bucket.
What to do next
Configure the data source in the QRadar product.
For more information about adding a data source in the QRadar product, see Adding ingestion data sources.