You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/connect-aws.md
+16-16Lines changed: 16 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,6 +35,22 @@ Make sure that the logs from your selected AWS service use the format accepted b
35
35
-**AWS CloudTrail**: .json file in a GZIP format.
36
36
-**CloudWatch**: .csv file in a GZIP format without a header. If you need to convert your logs to this format, you can use this [CloudWatch lambda function](cloudwatch-lambda-function.md).
37
37
38
+
## Architecture overview
39
+
40
+
This graphic and the following text show how the parts of this connector solution interact.
41
+
42
+
:::image type="content" source="media/connect-aws/s3-connector-architecture.png" alt-text="Screenshot of A W S S 3 connector architecture.":::
43
+
44
+
- AWS services are configured to send their logs to S3 (Simple Storage Service) storage buckets.
45
+
46
+
- The S3 bucket sends notification messages to the SQS (Simple Queue Service) message queue whenever it receives new logs.
47
+
48
+
- The Microsoft Sentinel AWS S3 connector polls the SQS queue at regular, frequent intervals. If there is a message in the queue, it will contain the path to the log files.
49
+
50
+
- The connector reads the message with the path, then fetches the files from the S3 bucket.
51
+
52
+
- To connect to the SQS queue and the S3 bucket, Microsoft Sentinel uses AWS credentials and connection information embedded in the AWS S3 connector's configuration. The AWS credentials are configured with a role and a permissions policy giving them access to those resources. Similarly, the Microsoft Sentinel workspace ID is embedded in the AWS configuration, so there is in effect two-way authentication.
53
+
38
54
## Connect the S3 connector
39
55
40
56
- In your AWS environment:
@@ -55,22 +71,6 @@ Each side's process produces information used by the other side. This sharing cr
55
71
56
72
We have made available, in our GitHub repository, a script that **automates the AWS side of this process**. See the instructions for [automatic setup](#automatic-setup) later in this document.
57
73
58
-
## Architecture overview
59
-
60
-
This graphic and the following text show how the parts of this connector solution interact.
61
-
62
-
:::image type="content" source="media/connect-aws/s3-connector-architecture.png" alt-text="Screenshot of A W S S 3 connector architecture.":::
63
-
64
-
- AWS services are configured to send their logs to S3 (Simple Storage Service) storage buckets.
65
-
66
-
- The S3 bucket sends notification messages to the SQS (Simple Queue Service) message queue whenever it receives new logs.
67
-
68
-
- The Microsoft Sentinel AWS S3 connector polls the SQS queue at regular, frequent intervals. If there is a message in the queue, it will contain the path to the log files.
69
-
70
-
- The connector reads the message with the path, then fetches the files from the S3 bucket.
71
-
72
-
- To connect to the SQS queue and the S3 bucket, Microsoft Sentinel uses AWS credentials and connection information embedded in the AWS S3 connector's configuration. The AWS credentials are configured with a role and a permissions policy giving them access to those resources. Similarly, the Microsoft Sentinel workspace ID is embedded in the AWS configuration, so there is in effect two-way authentication.
73
-
74
74
## Global prerequisites
75
75
76
76
- You must have write permission on your Microsoft Sentinel workspace.
0 commit comments