question

HarshaBalla-4340 avatar image
0 Votes"
HarshaBalla-4340 asked JamesTran-MSFT commented

Connecting Amazon S3 to Azure Sentinel

We have stored Cloud watch Logs to Amazon S3 buckets using Kinesis Firehose. Now the requirement is to analyze those logs in S3 through Azure sentinel.

Followed this document "Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data"

[1]: https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3


But here I can see new version that can ingest logs from the following AWS services by pulling them from an S3 bucket:

Amazon Virtual Private Cloud (VPC) - VPC Flow Logs
Amazon GuardDuty - Findings
AWS CloudTrail - Management and data events

Could someone help me out here on how to achieve this, if any docs are available it would be helpful

microsoft-sentinel
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

AndrewBlumhardt-1137 avatar image
0 Votes"
AndrewBlumhardt-1137 answered JamesTran-MSFT edited

As you mentioned there are two AWS connectors. The legacy connector "Amazon Web Services" for CloudTrail and a new "Amazon Web Services S3" connector for CloudTrail, GuardDuty, and VPC. I assume the new connector should replace the older version.

The article you provided describes the new connector. I have not set this up myself but the document you linked has the setup instructions and the connector page in Sentinel also has instructions. Is there a particular step or error that is causing a roadblock?

You may also find this blog post helpful: https://samilamppu.com/2022/01/17/microsoft-sentinel-how-to-leverage-built-in-amazon-web-services-s3-data-connector/

· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image JamesTran-MSFT ·

@HarshaBalla-4340
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 Votes 0 ·
HarshaBalla-4340 avatar image HarshaBalla-4340 JamesTran-MSFT ·

Thanks for your response,
I had kept some of findings in comment section, could someone help me out there!




0 Votes 0 ·
HarshaBalla-4340 avatar image HarshaBalla-4340 ·

Thanks for following up, Happy with your response.

I ran automated script which is in the link https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3 for setting up DataConnector.
Where I used ConfigAwsConnector.ps1 and ConfigCustomLogDataConnector.ps1 since I need to export cloud watch customized logs in AWS S3 bucket to Sentinel.

My doubt here is which option to choose here in destination table for reflecting data in sentinel and any queries are there to get these results in sentinel dashboard? it would be helpful.
Since I tried all three it's not working
194948-image.png






Thanks,

0 Votes 0 ·
image.png (33.0 KiB)
JamesTran-MSFT avatar image JamesTran-MSFT HarshaBalla-4340 ·

@HarshaBalla-4340
Thank you for following up on this!

When selecting the Destination table, can you see if waiting some time for the data to be ingested into the tables resolves your issue? For the additional queries, are you asking for other queries outside the article that was linked?

0 Votes 0 ·
AndrewBlumhardt-1137 avatar image
1 Vote"
AndrewBlumhardt-1137 answered JamesTran-MSFT commented

It sounds like you may be trying to use an unsupported operation for that connector.

Apparently there is a new generic S3 connector in private preview to collect cloud watch logs or any other custom logs stored in S3. The current connector only supports VPC, GuardDuty, and CloudTrail.

Here is a link to join the private preview program: https://aka.ms/SecurityPRP

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image JamesTran-MSFT ·

@HarshaBalla-4340
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·