Microsoft Sentinel is a Cloud Native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution with built-in AI for analytics. It removes the cost and complexity of achieving the central and focused near real time view of the active threats in your environment.
The Data connectors page, accessible from the Microsoft Sentinel navigation menu, shows the full list of connectors that Microsoft Sentinel provides, and their status. We will use the Amazon Web Services S3 connector to pull AWS CloudTrail logs into Microsoft Sentinel.
For this connector to work we need to grant Microsoft Sentinel access to the AWS CloudTrail logs that we configured previously. By setting up this connector there is a trust relationship established between Amazon Web Services and Microsoft Sentinel. This can be achieved by creating a role that gives permission to Microsoft Sentinel to access CloudTrail logs.
In the previous blog we had already created that role with necessary permission to access CloudTrail logs.
The Role ARN and SQS Queue url in output will be handy for the connector configuration-
Changes to Outputs:
+ sentinelrole = "arn:aws:iam::123456789012:role/AzureSentinelRole"
+ sqsurl = "https://sqs.ap-southeast-1.amazonaws.com/123456789012/awscbcloudtrailqueue"
On the Microsoft Sentinel blade navigate to Data connectors. Select Amazon Web Services S3 and in the details page click on Open connector page to configure connector.
| Field | Value |
|---|---|
| ROLE ARN | arn:aws:iam::123456789012:role/AzureSentinelRole |
| SQS URL | https://sqs.ap-southeast-1.amazonaws.com/123456789012/awscbcloudtrailqueue |
Terraform code for automating the whole setup on AWS side can be found here
You could check the status of the connector from the Connector page as shown below:
Click on AWSCloudTrail or navigate to the Log Analytics workspace to see the CloudTrail logs from your AWS Account
On successful connection Microsoft Sentinel creates a table called AWSCloudTrail with the columns as documented here
We can write custom queries using Kusto Query on top of this data and return result as shown below:
Microsoft Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data. Once such workbook is AWS S3 Workbook built by Microsoft Sentinel Community.
SentinelHealth data table provides insights on health drifts, such as latest failure events per connector, or connectors with changes from success to failure states, which you can use to create alerts and other automated actions.
Latest comments (0)