You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/cloudwatch-lambda-function.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,25 +6,25 @@ ms.author: lwainstein
6
6
ms.service: microsoft-sentinel
7
7
ms.topic: how-to
8
8
ms.date: 02/09/2023
9
-
#Customer intent: As a security operator, I want to create a Lambda function to send CloudWatch events to S3 bucket so I can convert the format to the gzipped CSV without a header.
9
+
#Customer intent: As a security operator, I want to create a Lambda function to send CloudWatch events to S3 bucket so I can convert the format to the format accepted by Microsoft Sentinel.
10
10
---
11
11
12
12
# Create a Lambda function to send CloudWatch events to an S3 bucket
13
13
14
-
In this article, you use a [Lambda function](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/CloudWatchLanbdaFunction.py) within the Amazon Web Services (AWS) environment to send [CloudWatch events to an S3 bucket](connect-aws.md), and convert the format to the gzipped CSV format without a header.
14
+
In some cases, your CloudWatch logs may not match the format accepted by Microsoft Sentinel - gzipped CSV format without a header. In this article, you use a [lambda function](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/CloudWatchLanbdaFunction.py) within the Amazon Web Services (AWS) environment to send [CloudWatch events to an S3 bucket](connect-aws.md), and convert the format to the accepted format.
15
15
16
-
## Create the Lambda function
16
+
## Create the lambda function
17
17
18
-
The Lambda function uses Python 3.9 runtime and x86_64 architecture.
18
+
The lambda function uses Python 3.9 runtime and x86_64 architecture.
19
19
20
-
1. In the AWS Management Console, select the Lambda service.
20
+
1. In the AWS Management Console, select the lambda service.
21
21
1. Select **Create function**.
22
22
23
23
:::image type="content" source="media/cloudwatch-lambda-function/lambda-basic-information.png" alt-text="Screenshot of the AWS Management Console Basic information screen." lightbox="media/cloudwatch-lambda-function/lambda-basic-information.png":::
24
24
25
25
1. Type a name for the function and select **Python 3.9** as the runtime and **x86_64** as the architecture.
26
26
1. Select **Create function**.
27
-
1. Under **Layers**, select **Add layer** and select **Add**.
27
+
1. Under **Choose a layer**, select a layer and select **Add**.
28
28
29
29
:::image type="content" source="media/cloudwatch-lambda-function/lambda-add-layer.png" alt-text="Screenshot of the AWS Management Console Add layer screen." lightbox="media/cloudwatch-lambda-function/lambda-add-layer.png":::
Copy file name to clipboardExpand all lines: articles/sentinel/connect-aws.md
+12-3Lines changed: 12 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,8 +7,6 @@ ms.date: 12/12/2022
7
7
ms.author: yelevin
8
8
---
9
9
10
-
---
11
-
12
10
# Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data
13
11
14
12
Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel. These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.
@@ -25,7 +23,18 @@ This connector is available in two versions: the legacy connector for CloudTrail
25
23
26
24
# [S3 connector (new)](#tab/s3)
27
25
28
-
This document explains how to configure the new AWS S3 connector. The process of setting it up has two parts: the AWS side and the Microsoft Sentinel side.
26
+
This article explains how to configure the new AWS S3 connector. The process of setting it up has two parts: the AWS side and the Microsoft Sentinel side.
27
+
28
+
## Prerequisites
29
+
30
+
Make sure that the logs from your selected AWS service use the format accepted by Microsoft Sentinel:
31
+
32
+
-**Amazon VPC**: gzip csv with headers, delimiter: space
33
+
-**Amazon GuardDuty**: json-line and gzip
34
+
-**AWS CloudTrail**: gzip json
35
+
-**CloudWatch**: zipped CSV format without a header. If you need to convert your logs to this format, you can use this [CloudWatch lambda function](cloudwatch-lambda-function.md).
0 commit comments