IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Qradar - Amazon API Gateway Logs Integration

  • 1.  Qradar - Amazon API Gateway Logs Integration

    Posted Fri February 24, 2023 08:31 AM

    Hello...

    Can anyone help me with the best way to integrate AWS API Gateway logs with QRADAR?

    The logs are being generated by cloudwatch (but I can also point to the S3 API).

    What type of Log Source should I use, and what is the best protocol?

    I have just these on my QRADAR:

    thank you for the help



    ------------------------------
    Ederson Chimbida
    ------------------------------


  • 2.  RE: Qradar - Amazon API Gateway Logs Integration

    Posted Tue October 15, 2024 12:51 PM

    Hi, 

    This is what we did and it served our purpose  

    • "amazon Web Services" protocol to collect the logs from Cloud watch log  group with "extract original event " enabled .
    • UDSM editor to create  a new Custom DMS named "AWS API gateway Access logs".
    • As we collected "original event " from cloud watch we are able to parse using json keypaths. 
    • /"status"    mapped to event ID
      /"sourceIp" mapped to Source IP address
      /"requestTime" mapped to log source time 
    • used QID's in "Apache HTTP Server" log source type to map in to the event ID's of API gateway 

    Thanks

    Harish 



    ------------------------------
    harish papanna
    ------------------------------

    Original Message


Related Content