IBM QRadar

I was looking for an integration between QRadar and AWS CloudFront on IBM Docs, but I didn't find anything.

However, there is a way to get CloudTrail logs from S3 bucket. Thus, is it possible to get CloudFront logs from S3 also?

QRadar has Amazon AWS S3 REST API protocol using which you should be able to pull those logs from S3 bucket but it may not parse as there is no supported DSM available for cloudfront as of now.

You may need to create a custom DSM to parse those events.

Let me know how it goes.

It works!

I created a Log Source Type called "Amazon AWS CloudFront", and created a Log Source for my CloudFront logs, setting AWS S3 REST API protocol and specified the SQS parameters to configure the log collection. It worked just fine!

Now, the next step is to parse the logs using the new DSM I created. The good part is that the log uses "\t" to separate the fields. So it's easier to parse.

In the AWS CloudFront documentation, we can see everything we need to do that:

Configuring and using standard logs (access logs) - Amazon CloudFront

Glad to hear that you made it work. Good job!! 👍 ​