I responded to this first on Reddit, as I saw it pop up from my phone, but I'll copy the contents of my post here as well.
--- from Reddit ---
There is no 'Amazon API Gateway' DSM at this time. So, what you'd need to do is create a new Log Source Type in the DSM Editor. You can collect the events with the Amazon Web Services protocol.
-
Enable Cloudwatch logs for API Gateway events.
-
Create a new Log Source Type in QRadar to use the Amazon Web Services protocol (see this article for the protocol parameters).
-
Add log source and fill out the parameters in the LSM app.
-
After the events are retrieved, you can use the DSM Editor to override parsing, map events, and create custom properties as required.
Edit: I took a quick look at there is an open feature request for Amazon API Gateway DSM. However, it is marked "For Future Consideration". I would recommend that you log in and vote up this issue: https://ibmsecurity.ideas.ibm.com/ideas/SIEMCORE-I-3370 as the more users who vote on an issue, the higher it is ranked in the developer schedule. I recommend you create your own custom Log Source Type for now, then use the official DSM when it is created.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Fri February 24, 2023 08:14 AM
From: Ederson Chimbida
Subject: Log Source for Amazon API Gateway
Hello...
Can anyone help me with the best way to integrate AWS API Gateway logs with QRADAR?
The logs are being generated by cloudwatch (but I can also point to the S3 API).
What type of Log Source should I use, and what is the best protocol?
I have just these on my QRADAR:
thank you for the help!
------------------------------
Ederson Chimbida
------------------------------