Configuring an Amazon GuardDuty Log Source by using the Amazon AWS S3 REST API Protocol
If you want to collect Amazon GuardDuty findings when you use an AWS S3 Bucket, add a log source in JSA by using the Amazon AWS S3 REST API protocol.
-
If automatic updates are not enabled, download and install the most recent version of
the following RPMs from the Juniper Downloads onto your JSA Console:
-
Protocol Common RPM
-
Amazon AWS REST API Protocol RPM
-
DSMCommon RPM
-
Amazon GuardDuty DSM RPM
-
- Configure Amazon GuardDuty to forward events to an AWS S3 Bucket.
-
Use the following table to set the parameters for an Amazon AWS CloudTrail log source
that uses the Amazon AWS S3 REST API protocol.
Table 1: Amazon AWS S3 REST API Protocol Log Source Parameters Parameter
Description
Log Source Type
Amazon AWS GuardDuty
Protocol Configuration
Amazon AWS S3 REST API
Authentication Method
Access Key ID / Secret Key
Standard authentication that can be used from anywhere.
For more information about configuring security credentials, see Configuring Security Credentials for your AWS User Account.
EC2 Instance IAM Role
If your JSA managed host is running in an AWS EC2 instance, choose this option to use the IAM Role from the metadata that is assigned to the instance for authentication. No keys are required.
Note:This method works only for managed hosts that are running within an AWS EC2 container.
Access Key ID
If you selected Access Key ID / Secret Key for the Authentication Method, configure this parameter.
The Access Key ID that was generated when you configured the security credentials for your AWS user account.
For more information about configuring the security credentials, see Configuring Security Credentials for your AWS User Account.
Secret Key
If you selected Access Key ID / Secret Key for the Authentication Method, configure this parameter.
The Secret Key that was generated when you configured the security credentials for your AWS user account. This value is also the Secret Key ID that is used to access the AWS S3 bucket.
For more information about configuring the security credentials. see Configuring Security Credentials for your AWS User Account.
S3 Collection Method
Select one of the following collection methods.
-
SQS Event Notifications
-
Use a Specific Prefix - Single Account/Region Only
SQS Queue URL
If you selected SQS Event Notifications for the S3 Collection Method, configure this parameter.
This field uses the full url of the SWS setup, beginning with https://, to receive notifications for ObjectCreate events from S3. For example, https://sqs.us-east-2.amazonaws.com/1234567890123/CloudTrail_SQS_QRadar
For more information, see the Configuring Amazon S3 event notifications link to public site website (https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html)
To ensure that all data is processed and messages are deleted from the queue after the files are successfully processed, this configuration must be the only consumer of this queue.
Bucket Name
If you selected Use a Specific Prefix - Single Account/Region Only for the S3 Collection Method, configure this parameter.
The name of the AWS S3 bucket where the log files are stored.
Directory Prefix
If you selected Use a Specific Prefix - Single Account/Region Only for the S3 Collection Method, configure this parameter.
The root directory location on the AWS S3 bucket from where the CloudTrail logs are retrieved; for example, AWSLogs/<AccountNumber>/CloudTrail/<RegionName>/
To pull files from the root directory of a bucket, you must use a forward slash (/) in the Directory Prefix file path.
Note:-
Changing the Directory Prefix value clears the persisted file marker. All files that match the new prefix are downloaded in the next pull.
-
The Directory Prefix file path cannot begin with a forward slash (/) unless only the forward slash is used to collect data from the root of the bucket.
-
If the Directory Prefix file path is used to specify folders, you must not begin the file path with a forward slash (for example, use folder1/folder2 instead)
Region Name
The region that the SQS Queue or the S3 Bucket is in.
Example: us-east-1, eu-west-1, ap-northeast-3
Event Format
Select LINEBYLINE. The log files that are collected contain one record per line.
Compression with gzip (.gz or .gzip) and zip (.zip) is supported.
Use as a Gateway Log Source
Do not enable this option.
Use Proxy
If JSA accesses the Amazon Web Service by using a proxy, enable Use Proxy.
If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.
If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.
Automatically Acquire Server Certificate
If you select Yes from the list, JSA downloads the certificate and begins trusting the target server.
EPS Throttle
The maximum number of events per second (EPS) that this log source can exceed. The default is 5000.
If EPS Throttle is left blank, no limit is imposed by JSA. Ensure that the EPS Throttle value is higher than the incoming rate or data processing might fall behind.
-