Hi QRadar Community,
Firstly, I’d like to shoutout my teammate Amir Rached for his help with this post! Anyway, just stopping by to let you all know about an update to our AWS Guard Duty integration.
We’ve recently expanded the scope of our integration to allow for Guard Duty data to be ingested into QRadar via S3 Buckets. With this update AWS users may send their Guard Duty Logs to an S3 bucket and then use either SQS or directory prefix with our AWS S3 Rest API to ingest this data into QRadar. AWS users are still able send their Guard Duty logs to QRadar via CloudWatch and utilize our Amazon Web Service protocol. See below for a super simplified visualization of the pathways available.
Simplified example pathway for sending Guard Duty Logs to QRadar
I’ve recently had several conversations around the differences between directory prefix and SQS and would like to share some considerations to take into account when deciding which is optimal for a particular environment:
- Scalability: SQS is multi-region and directory prefix is not.
- Reliability: Several of our users have shared that they find SQS to be more reliable because it does not rely on a particular file name.
- Cost: SQS has a minimal associated cost - although negligible
For these reasons, I’d recommend using SQS where possible for reliability and scalability.
Thanks for reading!
Offering Manager - QRadar Integrations & WinCollect