Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring an Amazon AWS CloudTrail Log Source by using the Amazon AWS REST API Protocol

 

If you want to collect AWS CloudTrail logs from Amazon S3 buckets, configure a log source on the JSA Console so that Amazon AWS CloudTrail can communicate with JSA by using the Amazon AWS REST API protocol.

  1. Install the most recent version of the following RPMs on your JSA Console.

    • Protocol Common RPM

    • Amazon AWS REST API Protocol RPM

    • DSMCommon RPM

    • Amazon Web Service RPM

    • Amazon AWS CloudTrail DSM RPM

  2. Create an Amazon AWS Identity and Access Management (IAM) user and then apply the AmazonS3ReadOnlyAccess policy.

  3. Configure the security credentials for your AWS user account.

  4. Add an Amazon AWS CloudTrail log source on the JSA Console.

    Note

    A log source can retrieve data from only one region. Use a different log source for each region. Include the region folder name in the file path for the Directory Prefix value when you configure the log source.

    The following table describes the parameters that require specific values to collect audit events from Amazon AWS CloudTrail by using the Amazon AWS S3 REST API protocol:

    Table 1: Amazon AWS S3 REST API Log Source Parameters

    Parameter

    Description

    Log Source Type

    Amazon AWS CloudTrail

    Protocol Configuration

    Amazon AWS S3 REST API

    Log Source Identifier

    Type a unique name for the log source.

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you have more than one Amazon AWS CloudTrail log source that is configured, you might want to identify the first log source as awscloudtrail1, the second log source as awscloudtrail2, and the third log source as awscloudtrail3.

    Signature Version

    Select AWSSIGNATUREV2 or AWSSIGNATURE4.

    AWSSIGNATUREV2 does not support all Amazon AWS regions. If you are using a region that only supports AWSSIGNATUREV4, you must choose AWSSIGNATUREV4 in the list.

    Region Name (Signature V4 only)

    The region that is associated with the Amazon S3 bucket.

    Bucket Name

    The name of the AWS S3 bucket where the log files are stored.

    Endpoint URL

    The endpoint URL that is used to query the AWS REST API.

    If your endpoint URL is different from the default, type your endpoint URL. The default is https://s3.amazonaws.com

    Authentication Method

    • Access Key ID / Secret Key - Standard authentication that can be used from anywhere.

    • EC2 Instance IAM Role - If your managed host is running on an AWS EC2 instance, choosing this option uses the IAM Role from the instance metadata assigned to the instance for authentication; no keys are required. This method works only for managed hosts that are running within an AWS EC2 container.

    Access Key

    The Access Key ID that was generated when you configured the security credentials for your AWS user account. This value is also the Access Key ID that is used to access the AWS S3 bucket.

    Secret Key

    The Secret Key that was generated when you configured the security credentials for your AWS user account. This value is also the Secret Key ID that is used to access the AWS S3 bucket.

    Directory Prefix

    The root directory location on the AWS S3 bucket from which the CloudTrail logs are retrieved, for example, AWSLogs/<AccountNumber>/CloudTrail/us-east-1/

    To pull files from the root directory of a bucket, you must use a forward slash (/) in the Directory Prefix file path.

    Note:

    • Changing the Directory Prefix value clears the persisted file marker. All files that match the new prefix are downloaded in the next pull.

    • The Directory Prefix file path cannot begin with a forward slash (/) unless only the forward slash is used to collect data from the root of the bucket.

    • If the Directory Prefix file path is used to specify folders, you must not begin the file path with a forward slash (for example, use folder1/folder2 instead).

    File Pattern

    Type a regex for the file pattern that matches the files that you want to pull; for example, .*?\.json\.gz

    Event Format

    Select AWS Cloud Trail JSON. The log source retrieves JSON formatted events.

    Use Proxy

    When a proxy is configured, all traffic for the log source travels through the proxy for JSA to access the Amazon AWS S3 buckets.

    Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

    Automatically Acquire Server Certificate(s)

    If you select Yes, JSA automatically downloads the server certificate and begins trusting the target server. You can use this option to initialize a newly created log source, obtain new certificates, or replace expired certificates.

    Select No to download the certificate manually. Complete the following steps:

    • Access your Amazon AWS CloudTrail S3 bucket.

    • Export the certificate as a DER-encoded binary certificate to your desktop system. The file extension must be .DER.

    • Copy the certificate to the /opt/QRadar/conf/ trusted_certificates directory on the JSA host where you plan to configure the log source.

    Recurrence

    How often the Amazon AWS S3 REST API Protocol connects to the Amazon cloud API, checks for new files, and retrieves them if they exist. Every access to an AWS S3 bucket incurs a cost to the account that owns the bucket. Therefore, a smaller recurrence value increases the cost.

    Type a time interval to determine how frequently the remote directory is scanned for new event log files. The minimum value is 1 minute. The time interval can include values in hours (H), minutes (M), or days (D). For example, 2H = 2 hours, 15 M = 15 minutes.

    EPS Throttle

    The upper limit for the maximum number of events per second (EPS). The default is 5000.

  5. To verify that JSA is configured correctly, review the following table to see an example of a parsed event message.

The following table provides a sample event message for the Amazon AWS CloudTrail DSM:

Table 2: Amazon AWS CloudTrail Sample Message Supported by Amazon AWS CloudTrail

Event name

Low-level category

Sample log message

Console Login

General Audit Event

{"eventVersion":"1.02",
"userIdentity":{"type":"IAMUser",
"principalId":"AIDAI56UNJ5SGCUDUOZEE",
"arn":"arn:aws:iam::005166929:user/xx.xxccountId":
"05166929","userName":"x.x"},"eventTime":
"2016-05-04T14:10:58Z","eventSource":
"f.amazonaws.com","eventName":
"ConsoleLogin","awsRegion":
"us-east-1","sourceIPAddress":
"1.1.1.1 Agent":"Mozilla/5.0
 (Windows NT 6.1; Win64; x64)
 AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/50.0.1.1 Safari/537.36",
"requestParameters":null,
"responseElements":
{"ConsoleLogin":"Success"},
"additionalEventData":
{"LoginTo":"www.webpage.com",
"MobileVersion":"No","MFAUsed":"No"},
"eventID":"e1866735-ea8b-4e66-be1a-8067dafe9898",
"eventType":"AwsConsoleSignIn",
"recipientAccountId":"237005166922"}

Creating an Identity and Access (IAM) User in the Amazon AWS User Interface when using the Amazon AWS REST API Protocol

An Amazon administrator must create a user and then apply the AmazonS3ReadOnlyAccess policy in the Amazon AWS user interface. The JSA user can then create a log source in JSA.

Note

Alternatively, you can assign more granular permissions to the bucket. The minimum required permissions are s3:listBucket and s3:getObject

  1. Create a user:
    1. Log in to the Amazon AWS user interface as administrator.

    2. Create an Amazon AWS IAM user and then apply the AmazonS3ReadOnlyAccess policy.

  2. Find the S3 bucket name and directory prefix that you use to configure a log source in JSA:
    1. Click Services.

    2. From the list, select CloudTrail.

    3. From the Trails page, click the name of the trail.

    4. Note the name of the S3 bucket that is displayed in the S3 bucket field.

    5. Click the Edit icon

    6. Click Advanced > icon.

    7. Note the location path for the S3 bucket that is displayed below the Log file prefix field.

The JSA user is ready to configure the log source in JSA. The S3 bucket name is the value for the Bucket name field. The location path for the S3 bucket is the value for Directory prefix field.