Closed frankscalzo closed 1 year ago
github-actions[bot]
commented
1 year ago Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
frankscalzo
commented
1 year ago 2 other things
1 if i want to look at guard duty vpc etc do i need to add them to the connector 2 it looks like its only looking at the s3 bucket but only 1 of the foldes for a specific account not all the individual accounts
github-actions[bot]
commented
1 year ago Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
github-actions[bot]
commented
1 year ago Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
v-vdixit
commented
1 year ago Hi @frankscalzo I have a list of steps that can be used in relation to your issue, please go through the following: - 1) Create an S3 bucket to store your CloudTrail logs if you haven't already done so. You can create this bucket manually or use an existing bucket that you have access to. 2) Create a KMS key to encrypt the CloudTrail logs if you haven't already done so. You can create this key manually or use an existing key that you have access to. 3) Configure CloudTrail to send logs to the S3 bucket you created in step 1. You can do this through the AWS Management Console or with the AWS CLI. You will need to specify the bucket name and KMS key name in the CloudTrail configuration. 4) Configure Sentinel to read CloudTrail logs from the S3 bucket. You will need to specify the bucket name and optionally the KMS key name if you encrypted the logs. Once you have completed these steps, Sentinel should be able to read the CloudTrail logs from the S3 bucket and you should be able to monitor your AWS Control Tower environment. Also to answer your other question, Yes, to monitor AWS GuardDuty or VPC flow logs with Sentinel, you will need to add those services to the connector configuration. You can do this by editing the connector configuration file to include the necessary AWS service types, regions, and resources that you want to monitor. By default, Sentinel will read CloudTrail logs from all the accounts that are associated with the Control Tower landing zone. However, it will only look for logs in the specific S3 bucket and folder that you specify in the connector configuration. If you want to monitor all the individual accounts in your organization, you will need to configure the connector to read CloudTrail logs from each account's S3 bucket and folder. You can do this by adding each account's S3 bucket and folder to the connector configuration using the sources field. I hope this helps in resolving your query, if there is something else please let me know, thanks!
v-vdixit
commented
1 year ago Hi @frankscalzo are you still facing this issue?
v-vdixit
commented
1 year ago Hi @frankscalzo please provide update on this, thanks!
v-vdixit
commented
1 year ago Hi @frankscalzo please provide update on this, thanks!
v-vdixit
commented
1 year ago Hi @frankscalzo, Since we have not received a response in the last 5 days, we are closing your issue #7562 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.
github-actions[bot]
commented
1 year ago Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
darrenhorwitz1
commented
1 year ago @v-vdixit Hello , can we reopen this issue please ? I am experiencing a similar issue with ingesting guard duty findings from a guard duty bucket (aggregated findings due to aws orgs etc) , We have noticed that our sqs queues messages are being received and deleted ,but the log data has not been received in the sentinel .
Also , how do you find the ''connector configuration file'' ? we could not find it in the portal
i am using aws Control tower but want to also integrate into Sentinel since this is our SIEM
is there anything special i should do since all logs already go to a central bucket for the multi account set up
its asking for bucket names s3 bucket name kms key name etc
i was trying to use the script i am thinking manual would be better since its setup with control tower basically