Configuring an Amazon GuardDuty log source by using the Amazon Web Services protocol

If you want to collect Amazon GuardDuty logs from the Amazon Cloud Watch group, configure a log source on the IBM® QRadar® Console so that Amazon Guard Duty can communicate with QRadar by using the Amazon Web Services protocol.

Procedure

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the IBM Support Website (https://www.ibm.com/support/fixcentral) onto your QRadar Console:
    • Protocol Common RPM
    • Amazon Web Services Protocol RPM
    • DSMCommon RPM
    • Amazon GuardDuty DSM RPM
  2. Create and configure an Amazon EventBridge rule to send events from AWS Security Hub to AWS CloudWatch log group.
  3. Create an Identity and Access (IAM) user in the Amazon AWS user interface when using the Amazon Web Services protocol.
  4. Add a Log source for Amazon GuardDuty on the QRadar Console. The following table describes the Amazon Web Services protocol parameters that require specific values for Amazon GuardDuty Logs collection:
    Table 1. Amazon GuardDuty Web Services protocol parameters
    Parameter Value
    Log source type Amazon GuardDuty
    Protocol configuration Amazon Web Services
    Authentication Method
    Access Key ID / Secret Key
    Standard authentication that can be used anywhere.
    EC2 Instance IAM Role
    If your QRadar managed host is running in an AWS EC2 instance, choose this option to use the IAM Role from the metadata assigned to the instance for authentication. No keys are required.
    Note: This method works only for managed hosts that run within an AWS EC2 container.
    Access Key ID

    If you selected Access Key ID / Secret Key, the Access Key ID parameter displays.

    The Access Key ID was generated when you configured the security credentials for your AWS user account.

    For more information about configuring the security credentials, see Configuring security credentials for your AWS user account.
    Secret Access Key

    If you selected Access Key ID / Secret Key, the Secret Access Key parameter displays.

    The Secret Key was generated when you configured the security credentials for your AWS user account.

    For more information about configuring the security credentials, see Configuring security credentials for your AWS user account.
    Regions Select the check box for each region that is associated with the Amazon Web Service that you want to collect logs from.
    Other Regions

    Type the names of any additional regions that are associated with the Amazon Web Service that you want to collect logs from.

    To collect from multiple regions, use a comma-separated list, such as the following example:

    region1,region2
    AWS Service

    The name of the Amazon Web Service.

    From the AWS Service list, select CloudWatch Logs.
    Log Group

    The name of the log group in Amazon CloudWatch where you want to collect logs from.

    Tip: A single log source can collect CloudWatch logs from only one log group at a time. If you want to collect logs from multiple log groups, create a separate log source for each log group.
    Log Stream (Optional) The name of the log stream within a log group that you want to collect logs from.
    Filter Pattern (Optional)

    Type a pattern for filtering the collected events. This pattern is not a regex filter. Only the events that contain the exact value that you specify are collected from CloudWatch Logs.

    If you enter ACCEPT as the Filter Pattern value, only events that contain the word ACCEPT are collected. The following example shows the effect of the ACCEPT value:

    {LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}
    Extract Original Event

    CloudWatch Logs wrap events that it receives with extra metadata. If you want only the original event that was added to the CloudWatch logs to be forwarded to QRadar, select this option. The original event is the value for the message key that is extracted from the CloudWatch Logs.

    The following CloudWatch logs event example shows the original event that is extracted from the CloudWatch log in bold text:
    {LogStreamName: guardDutyLogStream,Timestamp: 1519849569827,Message: {"version": "0", "id": "00-00", "detail-type": "GuardDuty Finding", "account": "1234567890", "region": "us-west-2", "resources": [], "detail": {"schemaVersion": "2.0", "accountId": "1234567890", "region": "us-west-2", "partition": "aws", "type": "Behavior:IAMUser/InstanceLaunchUnusual",  "severity": 5.0, "createdAt": "2018-02-28T20:22:26.344Z", "updatedAt": "2018-02-28T20:22:26.344Z"}},IngestionTime: 1519849569862,EventId: 0000}
    Use As A Gateway Log Source

    Do not select this check box.
    Use Proxy

    If QRadar accesses the Amazon Web Service by using a proxy, enable Use Proxy.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.
    Automatically Acquire Server Certificates

    If you select Yes from the list, QRadar downloads the certificate and begins trusting the target server.

    This function can be used to initialize a newly created log source and obtain certificates initially, or to replace expired certificates.

    EPS Throttle

    The maximum number of events per second that QRadar ingests.

    If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle.

    The default is 5000.