Edit

Create a Lambda function to send CloudWatch events to an S3 bucket

  • Article

In some cases, your CloudWatch logs may not match the format accepted by Microsoft Sentinel - .csv file in a GZIP format without a header. In this article, you use a lambda function within the Amazon Web Services (AWS) environment to send CloudWatch events to an S3 bucket, and convert the format to the accepted format.

Create the lambda function

The lambda function uses Python 3.9 runtime and x86_64 architecture.

  1. In the AWS Management Console, select the lambda service.

  2. Select Create function.

    Screenshot of the AWS Management Console Basic information screen.

  3. Type a name for the function and select Python 3.9 as the runtime and x86_64 as the architecture.

  4. Select Create function.

  5. Under Choose a layer, select a layer and select Add.

    Screenshot of the AWS Management Console Add layer screen.

  6. Select Permissions, and under Execution role, select Role name.

  7. Under Permissions policies, select Add permissions > Attach policies.

    Screenshot of the AWS Management Console Permissions tab.

  8. Search for the AmazonS3FullAccess and CloudWatchLogsReadOnlyAccess policies and attach them.

    Screenshot of the AWS Management Console Add permissions policies screen.

  9. Return to the function, select Code, and paste the code link under Code source.

    Screenshot of the AWS Management Console Code source screen.

  10. Fill the parameters as required.

  11. Select Deploy, and then select Test.

  12. Create an event by filling in the required fields.

    Screenshot of the AWS Management Configure test event screen.

  13. Select Test to see how the event appears in the S3 bucket.

Next steps

In this document, you learned how to create a Lambda function to send CloudWatch events to an S3 bucket. To learn more about Microsoft Sentinel, see the following articles: