Skip to content

Commit 4113da2

Browse files
author
yelevin
committed
Final draft?
1 parent 0b819e2 commit 4113da2

File tree

1 file changed

+8
-4
lines changed

1 file changed

+8
-4
lines changed

articles/sentinel/connect-aws.md

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ ms.author: yelevin
1111

1212
Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel. These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.
1313

14-
This connector is available in two versions: the legacy connector for CloudTrail management and data logs, and the new version that can ingest logs from the following AWS services by pulling them from an S3 bucket:
14+
This connector is available in two versions: the legacy connector for CloudTrail management and data logs, and the new version that can ingest logs from the following AWS services by pulling them from an S3 bucket (links are to AWS documentation):
1515

1616
- [Amazon Virtual Private Cloud (VPC)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) - [VPC Flow Logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html)
1717
- [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) - [Findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html)
@@ -94,7 +94,7 @@ The script takes the following actions:
9494

9595
- You must have PowerShell and the AWS CLI on your machine.
9696
- [Installation instructions for PowerShell](/powershell/scripting/install/installing-powershell)
97-
- [Installation instructions for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
97+
- [Installation instructions for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) (from AWS documentation)
9898

9999
### Instructions
100100

@@ -111,7 +111,7 @@ To run the script to set up the connector, use the following steps:
111111

112112
1. Follow the on-screen instructions to download and extract the [AWS S3 Setup Script](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip?raw=true) (link downloads a zip file containing the main setup script and helper scripts) from the connector page.
113113

114-
1. Before running the script, run the `aws configure` command from your PowerShell command line, and enter the relevant information as prompted. See [AWS Command Line Interface | Configuration basics](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) for details.
114+
1. Before running the script, run the `aws configure` command from your PowerShell command line, and enter the relevant information as prompted. See [AWS Command Line Interface | Configuration basics](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) (from AWS documentation) for details.
115115

116116
1. Now run the script. Copy the command from the connector page (under "Run script to set up the environment") and paste it in your command line.
117117

@@ -212,7 +212,10 @@ See Amazon Web Services documentation (linked below) for the instructions for se
212212
- [Export your GuardDuty findings to an S3 bucket](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html).
213213

214214
> [!NOTE]
215-
> The *TimeGenerated* field is populated with the finding's *Update at* value.
215+
>
216+
> - In AWS, findings are exported by default every 6 hours. Adjust the export frequency for updated Active findings based on your environment requirements. To expedite the process, you can modify the default setting to export findings every 15 minutes. See [Setting the frequency for exporting updated active findings](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html#guardduty_exportfindings-frequency).
217+
>
218+
> - The *TimeGenerated* field is populated with the finding's *Update at* value.
216219
217220
- AWS CloudTrail trails are stored in S3 buckets by default.
218221
- [Create a trail for a single account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html).
@@ -238,6 +241,7 @@ Learn how to [troubleshoot Amazon Web Services S3 connector issues](aws-s3-troub
238241

239242
> [!NOTE]
240243
> AWS CloudTrail has [built-in limitations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/WhatIsCloudTrail-Limits.html) in its LookupEvents API. It allows no more than two transactions per second (TPS) per account, and each query can return a maximum of 50 records. Consequently, if a single tenant constantly generates more than 100 records per second in one region, backlogs and delays in data ingestion will result.
244+
>
241245
> Currently, you can only connect your AWS Commercial CloudTrail to Microsoft Sentinel and not AWS GovCloud CloudTrail.
242246
243247
## Prerequisites

0 commit comments

Comments
 (0)