881439f1d1
* update template * update template * add gov to com |
||
|---|---|---|
| .. | ||
| CloudFormation | ||
| Enviornment | ||
| Utils | ||
| AwsRequiredPolicies.md | ||
| AwsRequiredPoliciesForGov.md | ||
| CloudWatchLambdaFunction.py | ||
| CloudWatchLambdaFunction_V2.py | ||
| ConfigAwsConnector.ps1 | ||
| ConfigAwsS3DataConnectorScripts.zip | ||
| ConfigAwsS3DataConnectorScriptsGov.zip | ||
| ConfigCloudTrailDataConnector.ps1 | ||
| ConfigCloudWatchDataConnector.ps1 | ||
| ConfigCustomLogDataConnector.ps1 | ||
| ConfigGuardDutyDataConnector.ps1 | ||
| ConfigVpcFlowDataConnector.ps1 | ||
| ConfigVpcFlowLogs.ps1 | ||
| README.md | ||
README.md
AWS S3 Microsoft Sentinel Connector
Introduction
AWS S3 Sentinel connector ingests many AWS service logs into Azure Sentinel. Currently supported logs include: AWS VPC Flow Logs, GuardDuty, Cloud Watch, Cloud Trail (management and data events).
This connector requires that each AWS service publish its logs to an S3 bucket in your account. In addition you must configure SQS notifications and permissions for the connector to retrieve the logs.
More information on the connector and configuration instructions can be found on the Azure Sentinel data connector page in the Azure portal.
Configuration process
This set of PowerShell scripts can be used to automatically configure the necessary resources.
At a high level, these scripts do the following:
- Create an AWS assumed role and grant access to the AWS Sentinel account.
- Configure the AWS service (VPC Flow Logs/GuardDuty) to export gzipped logs to an S3 bucket.
- Create a standard Simple Queue Service (SQS) in AWS.
- Enable SQS notification.
- Grant the Sentinel AWS account access to the S3 bucket & SQS.
Script prerequisites
You must have PowerShell and the AWS CLI installed before using these scripts.
- PowerShell Installation instructions
- AWS CLI Installation instructions
- Run from PowerShell
aws configure. For more details please see AWS configure documentation
- Run from PowerShell
Using the scripts
For Microsoft Azure, please download and extract the ConfigAwsS3DataConnectorScripts.zip file to your computer.
For Microsoft Azure Government, please download and extract the ConfigAwsS3DataConnectorGOVScripts.zip file to your computer.
Make sure that you have PowerShell and the AWS CLI installed.
IMPORTANT Downloaded PowerShell scripts must be marked safe to before being used. To mark the scripts safe, use the
Unblock-Filecmdlet or
right-click on the script file(s), then click Properties and then click Unblock.
Then run the following from PowerShell and follow the prompts to complete the configuration.
.\ConfigAwsConnector.ps1
When the script(s) complete, you must complete the Azure Sentinel data connector configuration in the Azure portal.
Troubleshooting
By default, a log is created in the directory where the script is executed.
Advanced usage
The ConfigAwsConnector.ps1 script has two parameters:
-LogPathspecifies a custom path to create the script activity log file.-AwsLogTypespecifies the AWS log type to configure. Valid options are: "VPC", "CloudTrail", "GuardDuty". If this parameter is specified, the user will not be prompted for this information.