Connecting Amazon S3 to Azure Sentinel

Question

We have stored Cloud watch Logs to Amazon S3 buckets using Kinesis Firehose. Now the requirement is to analyze those logs in S3 through Azure sentinel.

Followed this document "Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data"

But here I can see new version that can ingest logs from the following AWS services by pulling them from an S3 bucket:

Amazon Virtual Private Cloud (VPC) - VPC Flow Logs
Amazon GuardDuty - Findings
AWS CloudTrail - Management and data events

Could someone help me out here on how to achieve this, if any docs are available it would be helpful

Answer 1

It sounds like you may be trying to use an unsupported operation for that connector.

Apparently there is a new generic S3 connector in private preview to collect cloud watch logs or any other custom logs stored in S3. The current connector only supports VPC, GuardDuty, and CloudTrail.

Here is a link to join the private preview program: https://aka.ms/SecurityPRP

Answer 2

As you mentioned there are two AWS connectors. The legacy connector "Amazon Web Services" for CloudTrail and a new "Amazon Web Services S3" connector for CloudTrail, GuardDuty, and VPC. I assume the new connector should replace the older version.

The article you provided describes the new connector. I have not set this up myself but the document you linked has the setup instructions and the connector page in Sentinel also has instructions. Is there a particular step or error that is causing a roadblock?

You may also find this blog post helpful: https://samilamppu.com/2022/01/17/microsoft-sentinel-how-to-leverage-built-in-amazon-web-services-s3-data-connector/