Amazon AWS CloudTrail

The IBM QRadar DSM for Amazon AWS CloudTrail supports audit events that are collected from Amazon S3 buckets, and from a Log group in the AWS CloudWatch Logs.

The following table lists the specifications for the Amazon AWS CloudTrail DSM:
Table 1. Amazon AWS CloudTrail DSM specifications
Specification Value
Manufacturer Amazon
DSM Amazon AWS CloudTrail
RPM name DSM-AmazonAWSCloudTrail-QRadar_version-Build_number.noarch.rpm
Supported protocols
Event format Select AWS CloudTrail JSON. The log source retrieves JSON formatted events.
Important: Only log files with the default CloudTrail log file name format can be collected. The filename format is <AccountID>_CloudTrail_<RegionName>_<YYYYMMDDTHHmm>Z_UniqueString.<FileNameFormat>.

For example, 111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz.

Recorded event types Event versions 1.0, 1.02, 1.03, 1.04, 1.05, 1.06 and 1.08
Automatically discovered? Yes
Includes identity? No
Includes custom properties? No
More information

For information about VPC Flow logs, see the Amazon website.

For information about configuring QRadar V7.3.2 Fix Pack 1 in AWS Marketplace, see the 732 P1 Console available in AWS Marketplace video.