История

v-atulyadav 4c3060b103 Update ConfigAwsS3DataConnectorScripts.zip		2023-10-11 14:55:06 +05:30
..
CloudFormation	Add cloudFormation template	2022-06-02 17:05:45 +03:00
Utils	fix gaps and create new zip	2022-04-03 15:53:42 +03:00
AwsRequiredPolicies.md	fix (dataConnector AWS S3): remove redundant comma from json policies doc (#5313 )	2022-06-15 09:56:52 +03:00
CloudWatchLambdaFunction.py	Rename filename to lambda	2023-10-11 15:48:22 +07:00
ConfigAwsConnector.ps1	add support for cloudwatch (#7325 )	2023-02-13 09:14:18 +02:00
ConfigAwsS3DataConnectorScripts.zip	Update ConfigAwsS3DataConnectorScripts.zip	2023-10-11 14:55:06 +05:30
ConfigCloudTrailDataConnector.ps1	AWS S3 connector- Limit IAM role permissions (#4184 )	2022-02-21 17:05:28 +02:00
ConfigCloudWatchDataConnector.ps1	add support for cloudwatch (#7325 )	2023-02-13 09:14:18 +02:00
ConfigCustomLogDataConnector.ps1	fix gaps and create new zip	2022-04-03 15:53:42 +03:00
ConfigGuardDutyDataConnector.ps1	fix indentation	2022-04-06 15:58:16 +03:00
ConfigVpcFlowDataConnector.ps1	[Data connectors] Aws S3 Script- Add Sentinel tag when creating a new resources in AWS (#3391 )	2021-11-08 09:54:40 +02:00
ConfigVpcFlowLogs.ps1	[Data connectors] Aws S3 Script- Add Sentinel tag when creating a new resources in AWS (#3391 )	2021-11-08 09:54:40 +02:00
README.md	Fix typo on README.md	2023-10-11 13:48:08 +07:00

README.md

AWS S3 Microsoft Sentinel Connector

Introduction

AWS S3 Sentinel connector ingests many AWS service logs into Azure Sentinel. Currently supported logs include: AWS VPC Flow Logs, GuardDuty, Cloud Watch, Cloud Trail (management and data events).

This connector requires that each AWS service publish its logs to an S3 bucket in your account. In addition you must configure SQS notifications and permissions for the connector to retrieve the logs.

More information on the connector and configuration instructions can be found on the Azure Sentinel data connector page in the Azure portal.

Configuration process

This set of PowerShell scripts can be used to automatically configure the necessary resources.

At a high level, these scripts do the following:

Create an AWS assumed role and grant access to the AWS Sentinel account.
Configure the AWS service (VPC Flow Logs/GuardDuty) to export gzipped logs to an S3 bucket.
Create a standard Simple Queue Service (SQS) in AWS.
Enable SQS notification.
Grant the Sentinel AWS account access to the S3 bucket & SQS.

Script prerequisites

You must have PowerShell and the AWS CLI installed before using these scripts.

PowerShell Installation instructions
AWS CLI Installation instructions
- Run from PowerShell aws configure. For more details please see AWS configure documentation

Using the scripts

Download the scripts in this folder and subfolders or download and extract the ConfigAwsS3DataConnectorScripts.zip file to your computer. Make sure that you have PowerShell and the AWS CLI installed.

IMPORTANT Downloaded PowerShell scripts must be marked safe to before being used. To mark the scripts safe, use the Unblock-File cmdlet or
right-click on the script file(s), then click Properties and then click Unblock.

Then run the following from PowerShell and follow the prompts to complete the configuration.


.\ConfigAwsConnector.ps1

When the script(s) complete, you must complete the Azure Sentinel data connector configuration in the Azure portal.

Troubleshooting

By default, a log is created in the directory where the script is executed.

Advanced usage

The ConfigAwsConnector.ps1 script has two parameters:

-LogPath specifies a custom path to create the script activity log file.
-AwsLogType specifies the AWS log type to configure. Valid options are: "VPC", "CloudTrail", "GuardDuty". If this parameter is specified, the user will not be prompted for this information.