IBM Security QRadar

#BeyondTheDSMGuide QRadar S3 Integration with an SQS Queue

By Wendy Willner posted Fri March 12, 2021 02:09 PM


Hi QRadar Community,

QRadar has many out of the box integrations. Today I’d like to take this opportunity to do a spotlight on the mechanics of our integration with AWS Simple Storage Service (S3) Buckets into QRadar. AWS/QRadar users can leverage this integration to ingest data into QRadar that is stored in their S3 buckets.


This integration leverages the QRadar S3 Rest API Protocol.  As a reminder, at a high- level a “protocol” is a mechanism for bringing data into QRadar. This integration can be done using the Directory Prefix or  SQS Queue. Today, I’ll be specifically focused on leveraging SQS for this integration.




Many AWS services (i.e.: Guard Duty) publish data to S3 buckets and S3 buckets are used to store this data. S3 has a feature to notify users when certain events happen in their S3 buckets. These on notifications include “new object created” events.


SQS is a fully managed messaging service provided by AWS and is a supported destination of S3 notifications.

Integration mechanics:


  1. A user creates a S3 bucket.
  2. The user configures paths within bucket to publish notifications to SQS.
  3. Data is added to the bucket by an AWS service.
  4. The bucket publishes a notification to SQS indicating that data has been added to the S3 bucket and where it is stored within the bucket.
  5. QRadar pulls the S3 notification from an SQS queue.  The notification contains information about where that data is.
  6. QRadar leverages our QRadar S3 Rest API  Protocol and the notification information provided by SQS to pull the data from the S3 bucket into QRadar for analysis.
  7. The S3 notification message that QRadar pulled from the SQS, which indicated where the data was located, is removed from the queue.

See below for image!

Don’t forget to check out all of our cloud related content on the IBM Security App Exchange!