Amazon AWS CloudTrail
The IBM QRadar DSM for Amazon AWS CloudTrail supports audit events that are collected from Amazon S3 buckets, and from a Log group in the AWS CloudWatch Logs.
The following table lists the specifications for the Amazon AWS CloudTrail DSM:
| Specification | Value |
|---|---|
| Manufacturer | Amazon |
| DSM | Amazon AWS CloudTrail |
| RPM name | DSM-AmazonAWSCloudTrail-QRadar_version-Build_number.noarch.rpm |
| Supported protocols | |
| Event format | Select AWS CloudTrail JSON. The log source retrieves JSON formatted
events. Important: Only log files with the default CloudTrail log file name format can be
collected. The filename format is
<AccountID>_CloudTrail_<RegionName>_<YYYYMMDDTHHmm>Z_UniqueString.<FileNameFormat>.
For example, 111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz. |
| Recorded event types | Event versions 1.0, 1.02, 1.03, 1.04, 1.05, 1.06 and 1.08 |
| Automatically discovered? | Yes |
| Includes identity? | No |
| Includes custom properties? | No |
| More information |
For information about VPC Flow logs, see the Amazon website. For information about configuring QRadar V7.3.2 Fix Pack 1 in AWS Marketplace, see the 732 P1 Console available in AWS Marketplace video. |