MicrosoftDocs
diff --git a/‎articles/sentinel/TOC.yml
Lines changed: 3 additions & 0 deletions b/‎articles/sentinel/TOC.yml
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/sentinel/cloudwatch-lambda-function.md
Lines changed: 58 additions & 0 deletions b/‎articles/sentinel/cloudwatch-lambda-function.md
Lines changed: 58 additions & 0 deletions
diff --git a/‎articles/sentinel/connect-aws.md
Lines changed: 12 additions & 3 deletions b/‎articles/sentinel/connect-aws.md
Lines changed: 12 additions & 3 deletions
diff --git a/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-add-layer.png
97 KB b/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-add-layer.png
97 KB
diff --git a/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-basic-information.png
54.7 KB b/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-basic-information.png
54.7 KB
diff --git a/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-code-source.png
98.4 KB b/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-code-source.png
98.4 KB
diff --git a/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-configure-test-event.png
120 KB b/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-configure-test-event.png
120 KB
diff --git a/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-other-permissions-policies.png
131 KB b/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-other-permissions-policies.png
131 KB
diff --git a/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-permissions.png
65.8 KB b/‎articles/sentinel/media/cloudwatch-lambda-function/lambda-permissions.png
65.8 KB
@@ -250,6 +250,9 @@
       items:
       - name: Amazon Web Services logs
         href: connect-aws.md
+        items:
+        - name: Send CloudWatch events via Lambda function
+          href: cloudwatch-lambda-function.md
       - name: Azure Active Directory
         href: connect-azure-active-directory.md
       - name: Microsoft Defender for Cloud
 
@@ -0,0 +1,58 @@
+---
+title: Ingest CloudWatch logs to Microsoft Sentinel - create a Lambda function to send CloudWatch events to S3 bucket
+description: In this article, you create a Lambda function to send CloudWatch events to an S3 bucket.
+author: limwainstein
+ms.author: lwainstein
+ms.service: microsoft-sentinel
+ms.topic: how-to
+ms.date: 02/09/2023
+#Customer intent: As a security operator, I want to create a Lambda function to send CloudWatch events to S3 bucket so I can convert the format to the format accepted by Microsoft Sentinel.  
+---
+
+# Create a Lambda function to send CloudWatch events to an S3 bucket
+
+In some cases, your CloudWatch logs may not match the format accepted by Microsoft Sentinel - .csv file in a GZIP format without a header. In this article, you use a [lambda function](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/CloudWatchLanbdaFunction.py) within the Amazon Web Services (AWS) environment to send [CloudWatch events to an S3 bucket](connect-aws.md), and convert the format to the accepted format. 
+
+## Create the lambda function 
+
+The lambda function uses Python 3.9 runtime and x86_64 architecture. 
+
+1. In the AWS Management Console, select the lambda service.
+1. Select **Create function**. 
+
+    :::image type="content" source="media/cloudwatch-lambda-function/lambda-basic-information.png" alt-text="Screenshot of the AWS Management Console Basic information screen." lightbox="media/cloudwatch-lambda-function/lambda-basic-information.png":::
+
+1. Type a name for the function and select **Python 3.9** as the runtime and **x86_64** as the architecture. 
+1. Select **Create function**. 
+1. Under **Choose a layer**, select a layer and select **Add**.
+
+    :::image type="content" source="media/cloudwatch-lambda-function/lambda-add-layer.png" alt-text="Screenshot of the AWS Management Console Add layer screen." lightbox="media/cloudwatch-lambda-function/lambda-add-layer.png":::
+
+1. Select **Permissions**, and under **Execution role**, select **Role name**.
+1. Under **Permissions policies**, select **Add permissions** > **Attach policies**. 
+
+    :::image type="content" source="media/cloudwatch-lambda-function/lambda-permissions.png" alt-text="Screenshot of the AWS Management Console Permissions tab." lightbox="media/cloudwatch-lambda-function/lambda-permissions.png":::
+
+1. Search for the *AmazonS3FullAccess* and *CloudWatchLogsReadOnlyAccess* policies and attach them.
+
+    :::image type="content" source="media/cloudwatch-lambda-function/lambda-other-permissions-policies.png" alt-text="Screenshot of the AWS Management Console Add permissions policies screen." lightbox="media/cloudwatch-lambda-function/lambda-other-permissions-policies.png":::
+
+1. Copy the code link from the [source file](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/CloudWatchLanbdaFunction.py). 
+1. Return to the function, select **Code**, and paste the code link under **Code source**.
+
+    :::image type="content" source="media/cloudwatch-lambda-function/lambda-code-source.png" alt-text="Screenshot of the AWS Management Console Code source screen." lightbox="media/cloudwatch-lambda-function/lambda-code-source.png":::
+ 
+1. Fill the parameters as required. 
+1. Select **Deploy**, and then select **Test**.
+1. Create an event by filling in the required fields.
+
+    :::image type="content" source="media/cloudwatch-lambda-function/lambda-configure-test-event.png" alt-text="Screenshot of the AWS Management Configure test event screen." lightbox="media/cloudwatch-lambda-function/lambda-configure-test-event.png":::
+
+1. Select **Test** to see how the event appears in the S3 bucket. 
+
+## Next steps
+
+In this document, you learned how to create a Lambda function to send CloudWatch events to an S3 bucket. To learn more about Microsoft Sentinel, see the following articles:
+- Learn how to [get visibility into your data, and potential threats](get-visibility.md).
+- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).
+- [Use workbooks](monitor-your-data.md) to monitor your data.
@@ -7,8 +7,6 @@ ms.date: 12/12/2022
 ms.author: yelevin
 ---
 
----
-
 # Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data
 
 Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel. These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.
@@ -26,7 +24,18 @@ This connector is available in two versions: the legacy connector for CloudTrail
 
 # [S3 connector (new)](#tab/s3)
 
-This document explains how to configure the new AWS S3 connector. The process of setting it up has two parts: the AWS side and the Microsoft Sentinel side.
+This article explains how to configure the new AWS S3 connector. The process of setting it up has two parts: the AWS side and the Microsoft Sentinel side.
+
+## Prerequisites
+
+Make sure that the logs from your selected AWS service use the format accepted by Microsoft Sentinel:
+
+- **Amazon VPC**: .csv file in GZIP format with headers; delimiter: space.
+- **Amazon GuardDuty**: json-line and GZIP formats.
+- **AWS CloudTrail**: .json file in a GZIP format.
+- **CloudWatch**: .csv file in a GZIP format without a header. If you need to convert your logs to this format, you can use this [CloudWatch lambda function](cloudwatch-lambda-function.md).
+
+## Connect the S3 connector
 
 - In your AWS environment: