azure sentinel for aws log

홍원종 Azure SA 0 Reputation points
2024-04-17T10:25:33.4666667+00:00

I'm having issues importing AWS logs into Azure Sentinel. There are no issues importing data using data connectors, but I want to manually import tables that are not supported by data connectors in JSON format.

I tried using Custom Log Data Collection Rules (DCR) to import, but I could only create tables and could not query them.

I modified the transformation query:

cssCopy code
source
| extend TimeGenerated = todatetime(

The columns were separated, but there's a problem with actually querying the logs.

Additional question:

Is it possible to import tables from AWS into Sentinel that are not supported by the data connectors?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
979 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,876 Reputation points Microsoft Employee
    2024-04-17T20:32:31.13+00:00

    Hi @홍원종 Azure SA ,

    If you cannot use the AWS data connector, my understanding is that you can use this script to create the table: https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/S3-Lambda#edit-the-script

    After the script runs, the table will be created but you need to ingest the data into the custom table to be able to query it.  The custom table is where it's stored in Log Analytics.  

     

    You can check the schema before ingesting, and after it's created you would find the table under "Custom Logs." https://learn.microsoft.com/en-us/azure/sentinel/data-source-schema-reference

    Let me know if this addresses your question.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    0 comments