To create an Amazon AWS S3 REST API Log Source for IBM QRadar, perform the following procedure.
Procedure
- Sign into the QRadar console.
- Go to Admin > QRadar Log Source Management.
- In the pop-up window, click Log Sources.
- Click the +New Log Source button and select Single Log Source.
- In the search field, enter and then select Carbon Black Cloud.
- Click Step 2: Select Protocol Type.
- In the search field, enter and then select Amazon AWS S3 REST API.
- Click Step 3: Configure Protocol Protocols.
- Enter a name for the Log Source in the
Name
field.
Note:
- Choose a different name from the built-in log source
CarbonBlackCloudCustom
, or you will have difficulties filtering events based on the log source name.
- The default value for
Coalescing Events
is Enabled
. When a Log Source emits multiple similar events in a short time span, they are aggregated. The event count of the single event reflects the number of events that have been aggregated. This feature reduces the storage cost of events. Disable this option if you want a separate event in QRadar for each alert.
- Configure the Protocol Parameters:
Log Source identifier
- Choose a name for your Log Source.
Authentication Method
- Access Key ID / Secret Key.
Access Key ID and Secret Key
- The Access Key and ID that are required to access the AWS S3 Bucket.
S3 Collection Method
- SQS Event Notification.
SQS Queue URL
- URL to the queue. This can be copied from the AWS Management Console.
Region Name
- Use the same value that you used to set up the S3 bucket.
Event Format
- LINEBYLINE. Data Forwarder generates a jsonl file.
- Click Step 5: Test Protocol Parameters to verify the configuration.
- In the Admin tab, click Deploy Changes in the Notification pop-up window.