Step 1: Log Into AWS Console
- Go to https://aws.amazon.com/console/.
- Click Sign in to the Console.
- Enter your AWS account or IAM user credentials.
Make sure your IAM user has permission to configure CloudTrail and access S3 (the storage for logs).
Step 2: Set Up CloudTrail
- In the AWS Console search bar, type CloudTrail and open the service.
- Click Trails on the left, then Create trail.
- Name your trail and choose to apply it to all regions (recommended).
- Select or create an S3 bucket where logs will be saved.
- Click Create trail.
CloudTrail will now log all API activities in your account and store them in the S3 bucket.
Step 3: Connect CloudTrail Logs to RQ SIEM
RQ SIEM needs to access these CloudTrail logs to analyze them.
- Via S3 Bucket:
- Give RQ SIEM permission to read the S3 bucket where CloudTrail stores logs.
- Share the bucket name and access credentials with your RQ SIEM team.
- RQ SIEM will pull logs from the S3 bucket regularly.
- Via CloudWatch Logs (Optional):
- You can also send CloudTrail logs to CloudWatch and allow RQ SIEM to access them there.
- This requires extra setup but may offer faster log delivery.
Step 4: Confirm It’s Working
- Check that logs are appearing in the S3 bucket or CloudWatch.
- Verify that RQ SIEM is importing and displaying the CloudTrail data.
- Try making some changes in AWS and watch for those events in RQ SIEM.
Comments
0 comments
Please sign in to leave a comment.