What is Azure Sentinel?
Azure Sentinel is a cloud based security solution introduce by security team of Azure. With sentinel it provides a capabilities of a SIEM (Security Information Event Management) run on cloud native way. It provides customers, intelligent security analytics and threat intelligence across the enterprise, using a single solution to provide alerting, take proactive action against detections, threat visibility and threat response.
What is AWS CloudTrail?
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
AWS CloudTrail Documentation
As a cloud service user, with a new trend most of the organizations are in the process of using Multi Cloud Environment. To manage security and auditing in all those cloud environment will be challenging tasks for administrators and security engineers. So we can use Azure Sentinel to use as the single place to measure all the security related analytics and detection. Azure Sentinel support numerous data connectors that we can leverage.
Connect your AWS CLoudTrail with Azure Sentinel
Before we start following prerequisites needed
Create AWS Role to allow access to AWS CloudTrail
In Azure Sentinel Select Data Connectors
Under Data Connectors Select Amazon Web Service
Click Open Connector page
At the instruction page, note down the Microsoft Account ID and External ID. We need it for AWS Role configuration in next step.
Login to AWS console under the Security, Identity & Compliance, click on IAM
Click Roles, Next Create Role
Under Select type of trust entity, Select Another AWS Account
Provide the Account ID and Extenal ID noted in the previous step.
Click Next and provide the permission needed for the role. Give AWSCloudTrailReadOnlyAccess
Next Provide a Role Name
At final step create the role. Note the Role ARN in the Role summery page.
Go back to to Azure Sentinel AWS Data Connector page and add the AWS Role ARN as below. After the ARN verified AWS connector will communicate with CloudTrail for log read.
After few hours we can notice the logs are pushed to Azure Sentinel
We can use log analytics queries to filter the data that relevant to our use case.
Additional Links