Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring an Amazon GuardDuty Log Source by using the Amazon AWS S3 REST API Protocol

If you want to collect Amazon GuardDuty findings when you use an AWS S3 Bucket, add a log source in JSA by using the Amazon AWS S3 REST API protocol.

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA Console:
    • Protocol Common RPM

    • Amazon AWS REST API Protocol RPM

    • DSMCommon RPM

    • Amazon GuardDuty DSM RPM

  2. Configure Amazon GuardDuty to forward events to an AWS S3 Bucket.
  3. Use the following table to set the parameters for an Amazon AWS CloudTrail log source that uses the Amazon AWS S3 REST API protocol.
    Table 1: Amazon AWS S3 REST API Protocol Log Source Parameters

    Parameter

    Description

    Log Source Type

    Amazon AWS GuardDuty

    Protocol Configuration

    Amazon AWS S3 REST API

    Authentication Method

    Access Key ID / Secret Key

    Standard authentication that can be used from anywhere.

    For more information about configuring security credentials, see Configuring Security Credentials for your AWS User Account.

    EC2 Instance IAM Role

    If your JSA managed host is running in an AWS EC2 instance, choose this option to use the IAM Role from the metadata that is assigned to the instance for authentication. No keys are required.

    Note:

    This method works only for managed hosts that are running within an AWS EC2 container.

    Access Key ID

    If you selected Access Key ID / Secret Key for the Authentication Method, configure this parameter.

    The Access Key ID that was generated when you configured the security credentials for your AWS user account.

    For more information about configuring the security credentials, see Configuring Security Credentials for your AWS User Account.

    Secret Key

    If you selected Access Key ID / Secret Key for the Authentication Method, configure this parameter.

    The Secret Key that was generated when you configured the security credentials for your AWS user account. This value is also the Secret Key ID that is used to access the AWS S3 bucket.

    For more information about configuring the security credentials. see Configuring Security Credentials for your AWS User Account.

    S3 Collection Method

    Select one of the following collection methods.

    • SQS Event Notifications

    • Use a Specific Prefix - Single Account/Region Only

    SQS Queue URL

    If you selected SQS Event Notifications for the S3 Collection Method, configure this parameter.

    This field uses the full url of the SWS setup, beginning with https://, to receive notifications for ObjectCreate events from S3. For example, https://sqs.us-east-2.amazonaws.com/1234567890123/CloudTrail_SQS_QRadar

    For more information, see the Configuring Amazon S3 event notifications link to public site website (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)

    To ensure that all data is processed and messages are deleted from the queue after the files are successfully processed, this configuration must be the only consumer of this queue.

    Bucket Name

    If you selected Use a Specific Prefix - Single Account/Region Only for the S3 Collection Method, configure this parameter.

    The name of the AWS S3 bucket where the log files are stored.

    Directory Prefix

    If you selected Use a Specific Prefix - Single Account/Region Only for the S3 Collection Method, configure this parameter.

    The root directory location on the AWS S3 bucket from where the CloudTrail logs are retrieved; for example, AWSLogs/<AccountNumber>/CloudTrail/<RegionName>/

    To pull files from the root directory of a bucket, you must use a forward slash (/) in the Directory Prefix file path.

    Note:
    • Changing the Directory Prefix value clears the persisted file marker. All files that match the new prefix are downloaded in the next pull.

    • The Directory Prefix file path cannot begin with a forward slash (/) unless only the forward slash is used to collect data from the root of the bucket.

    • If the Directory Prefix file path is used to specify folders, you must not begin the file path with a forward slash (for example, use folder1/folder2 instead)

    Region Name

    The region that the SQS Queue or the S3 Bucket is in.

    Example: us-east-1, eu-west-1, ap-northeast-3

    Event Format

    Select LINEBYLINE. The log files that are collected contain one record per line.

    Compression with gzip (.gz or .gzip) and zip (.zip) is supported.

    Use as a Gateway Log Source

    Do not enable this option.

    Use Proxy

    If JSA accesses the Amazon Web Service by using a proxy, enable Use Proxy.

    If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

    If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

    Automatically Acquire Server Certificate

    If you select Yes from the list, JSA downloads the certificate and begins trusting the target server.

    EPS Throttle

    The maximum number of events per second (EPS) that this log source can exceed. The default is 5000.

    If EPS Throttle is left blank, no limit is imposed by JSA. Ensure that the EPS Throttle value is higher than the incoming rate or data processing might fall behind.