DEV Community

Cover image for Ingest AWS CloudTrail Logs to Microsoft Sentinel
Sujay Pillai for AWS Community Builders

Posted on

Ingest AWS CloudTrail Logs to Microsoft Sentinel

Microsoft Sentinel is a Cloud Native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution with built-in AI for analytics. It removes the cost and complexity of achieving the central and focused near real time view of the active threats in your environment.

The Data connectors page, accessible from the Microsoft Sentinel navigation menu, shows the full list of connectors that Microsoft Sentinel provides, and their status. We will use the Amazon Web Services S3 connector to pull AWS CloudTrail logs into Microsoft Sentinel.

Microsoft Sentinel Connector

For this connector to work we need to grant Microsoft Sentinel access to the AWS CloudTrail logs that we configured previously. By setting up this connector there is a trust relationship established between Amazon Web Services and Microsoft Sentinel. This can be achieved by creating a role that gives permission to Microsoft Sentinel to access CloudTrail logs.

In the previous blog we had already created that role with necessary permission to access CloudTrail logs.

The Role ARN and SQS Queue url in output will be handy for the connector configuration-



Changes to Outputs:
  + sentinelrole = "arn:aws:iam::123456789012:role/AzureSentinelRole"
  + sqsurl       = "https://sqs.ap-southeast-1.amazonaws.com/123456789012/awscbcloudtrailqueue"


Enter fullscreen mode Exit fullscreen mode

On the Microsoft Sentinel blade navigate to Data connectors. Select Amazon Web Services S3 and in the details page click on Open connector page to configure connector.

S3 Connector

Field Value
ROLE ARN arn:aws:iam::123456789012:role/AzureSentinelRole
SQS URL https://sqs.ap-southeast-1.amazonaws.com/123456789012/awscbcloudtrailqueue

Terraform code for automating the whole setup on AWS side can be found here

You could check the status of the connector from the Connector page as shown below:

Connector Status

Click on AWSCloudTrail or navigate to the Log Analytics workspace to see the CloudTrail logs from your AWS Account

CloudTrail query

On successful connection Microsoft Sentinel creates a table called AWSCloudTrail with the columns as documented here

We can write custom queries using Kusto Query on top of this data and return result as shown below:

KustoQuery

Microsoft Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data. Once such workbook is AWS S3 Workbook built by Microsoft Sentinel Community.

SentinelWorkbook

SentinelWorkbook1

SentinelHealth data table provides insights on health drifts, such as latest failure events per connector, or connectors with changes from success to failure states, which you can use to create alerts and other automated actions.

SentinelHealth

Top comments (0)