IBM Security QRadar

#BeyondTheDSMGuide: Update to QRadar/AWS Guard Duty Integration

By Wendy Willner posted Sun February 14, 2021 01:54 PM


Hi QRadar Community,

Firstly, I’d like to shoutout my teammate Amir Rached for his help with this post! Anyway, just stopping by to let you all know about an update to our AWS Guard Duty integration.

We’ve recently expanded the scope of our integration to allow for Guard Duty data to be ingested into QRadar via S3 Buckets. With this update AWS users may send their Guard Duty Logs to an S3 bucket  and then use either  SQS or  directory prefix with our AWS S3 Rest API to ingest this data into QRadar. AWS users are still able send their Guard Duty logs to QRadar  via CloudWatch and utilize our Amazon Web Service protocol. See below for a super simplified visualization of the pathways available.

Simplified  example pathway for sending  Guard Duty Logs to QRadar

I’ve recently had several conversations around the differences between directory prefix and SQS and would like to share some considerations to take into account when deciding which is optimal for a particular environment:

  1. Scalability: SQS is multi-region and directory prefix is not.
  2. Reliability: Several of our users have shared that they find SQS to be more reliable because it does not rely on a particular file name.
  3. Cost: SQS has a minimal associated cost - although negligible

For these reasons, I’d recommend using SQS where possible for reliability and scalability.

Thanks for reading!

Wendy Willner
Offering Manager - QRadar Integrations & WinCollect