Summary Prerequisites and limitations Architecture Tools Best practices Epics Related resources

Ingest and analyze AWS security logs in Microsoft Sentinel

Created by Ivan Girardi (AWS) and Sebastian Wenzel (AWS)

Summary

This pattern describes how to automate the ingestion of AWS security logs, such as AWS CloudTrail logs, Amazon CloudWatch Logs data, Amazon VPC Flow Logs data, and Amazon GuardDuty findings, into Microsoft Sentinel. If your organization uses Microsoft Sentinel as a security information and event management (SIEM) system, this helps you centrally monitor and analyze logs in order to detect security-related events. As soon as the logs are available, they are automatically delivered to an Amazon Simple Storage Service (Amazon S3) bucket in less than 5 minutes. This can help you quickly detect security events in your AWS environment.

Microsoft Sentinel ingests CloudTrail logs in a tabular format that includes the original timestamp for when the event was recorded. The structure of the ingested logs enables query capabilities by using Kusto Query Language in Microsoft Sentinel.

The pattern deploys a monitoring and alerting solution that detects ingestion failures in less than 1 minute. It also includes a notification system that the external SIEM can monitor. You use AWS CloudFormation to deploy the required resources in the logging account.

Target audience

This pattern is recommended for users who have experience with AWS Control Tower, AWS Organizations, CloudFormation, AWS Identity and Access Management (IAM), and AWS Key Management Service (AWS KMS).

Prerequisites and limitations

Prerequisites

The following are the prerequisites for deploying this solution:

Active AWS accounts that are managed as an organization in AWS Organizations and are part of an AWS Control Tower landing zone. The organization should include a dedicated account for logging. For instructions, see Creating and configuring an organization in the AWS Organizations documentation.
A CloudTrail trail that logs events for the entire organization and stores logs in an Amazon S3 bucket in the logging account. For instructions, see Creating a trail for an organization.
In the logging account, permissions to assume an existing IAM role that has the following permissions:
- Deploy the resources defined in the provided CloudFormation template.
- Deploy the provided CloudFormation template.
- Modify the AWS KMS key policy if the logs are encrypted with a customer managed key.
AWS Command Line Interface (AWS CLI), installed and configured.
A Microsoft Azure account with a subscription to use Microsoft Sentinel.
Enable and set up Microsoft Sentinel. For instructions, see Enable Microsoft Sentinel and initial features and content in the Microsoft Sentinel documentation.
Meet the prerequisites for setting up the Microsoft Sentinel S3 connector.

Limitations

This solution forwards the security logs from an Amazon S3 bucket in the logging account to Microsoft Sentinel. Instructions for how to send the logs to Amazon S3 are not explicitly provided.
This pattern provides instructions for deployment in an AWS Control Tower landing zone. However, use of AWS Control Tower is not required.
This solution is compatible with an environment where the Amazon S3 logging bucket is restricted with service control policies (SCPs), such as Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive.
This pattern provides instructions for forwarding CloudTrail logs, but you can adapt this solution to send other logs that Microsoft Sentinel supports, such as logs from CloudWatch Logs, Amazon VPC Flow Logs, and GuardDuty.
The instructions use the AWS CLI to deploy the CloudFormation template, but you could also use the AWS Management Console. For instructions, see Using the AWS CloudFormation console. If you use the console to deploy the stack, deploy the stack in the same AWS Region as the logging bucket.
This solution deploys an Amazon Simple Queue Service (Amazon SQS) queue to deliver Amazon S3 notifications. The queue contains messages with the paths of objects uploaded in the Amazon S3 bucket, not actual data. The queue uses SSE-SQS encryption to help protect the content of the messages. If you want to encrypt the SQS queue with SSE-KMS, you can use a customer managed KMS key. For more information, see Encryption at rest in Amazon SQS.

Architecture

This section provides a high-level overview of the architecture that the sample code establishes. The following diagram shows the resources deployed in the logging account in order to ingest logs from an existing Amazon S3 bucket into Microsoft Sentinel.

Microsoft Sentinel using an Amazon SNS queue to ingest logs from an S3 bucket

The architecture diagram shows the following resource interactions:

In the logging account, Microsoft Sentinel assumes an IAM role through OpenID Connect (OIDC) to access logs in a specific Amazon S3 bucket and Amazon SQS queue.
Amazon Simple Notification Service (Amazon SNS) and Amazon S3 use AWS KMS for encryption.
Amazon S3 sends notification messages to the Amazon SQS queue whenever it receives new logs.
Microsoft Sentinel checks Amazon SQS for new messages. The Amazon SQS queue uses SSE-SQS encryption. The message retention period is set to 14 days.
Microsoft Sentinel pulls messages from the Amazon SQS queue. The messages contain the path of the uploaded Amazon S3 objects. Microsoft Sentinel ingests those objects from the Amazon S3 bucket into the Microsoft Azure account.
A CloudWatch alarm monitors the Amazon SQS queue. If messages are not received and deleted from the Amazon SQS queue within 5 minutes, then it initiates an Amazon SNS notification that sends an email.

AWS Control Tower helps you set up the foundational organization unit (OU) structure and centralizes CloudTrail logs in the logging account. It also implements mandatory SCPs to protect the logging bucket.

We have provided the target architecture in an AWS Control Tower landing zone, but this is not strictly required. In this diagram, the resources in the management account reflect an AWS Control Tower deployment and a CloudTrail trail that logs events for the entire organization.

This pattern focuses on the deployment of resources in the logging account. If the logs stored in Amazon S3 in your AWS Control Tower landing zone are encrypted with a customer managed KMS key, then you must update the key policy to allow Microsoft Sentinel to decrypt the logs. In an AWS Control Tower landing zone, you manage the key policy from the management account, which is where the key was created.

Tools

AWS services

AWS CloudFormation helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions.
Amazon CloudWatch helps you monitor the metrics of your AWS resources and the applications you run on AWS in real time.
AWS Control Tower helps you set up and govern an AWS multi-account environment, following best practices.
AWS Key Management Service (AWS KMS) helps you create and control cryptographic keys to help protect your data.
AWS Organizations is an account management service that helps you consolidate multiple AWS accounts into an organization that you create and centrally manage.
Amazon Simple Queue Service (Amazon SQS) provides a secure, durable, and available hosted queue that helps you integrate and decouple distributed software systems and components.
Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.

Other tools

Microsoft Sentinel is a cloud-native SIEM system that provides security orchestration, automation, and response (SOAR).

Code repository

The code for this pattern is available in the GitHub Ingest and analyze AWS security logs in Microsoft Sentinel repository.

Best practices

Follow the principle of least-privilege (IAM documentation).
Follow the Best practices for AWS Control Tower administrators (AWS Control Tower documentation).
Follow the AWS CloudFormation best practices (CloudFormation documentation).
Use code analysis tools, such as cfn_nag, to scan the generated CloudFormation templates. The cfn_nag tool identifies potential security issues in CloudFormation templates by searching for patterns.

Epics

Task	Description	Skills required
Prepare the Microsoft Sentinel S3 connector.	In Microsoft Sentinel, choose Data connectors. From the data connectors gallery, choose Amazon Web Services S3. Note If you don't see the connector, install the Amazon Web Services solution from the Content Hub in Microsoft Sentinel. In the details pane for the connector, choose Open connector page. In the Configuration section, copy the External ID. You need this ID later.	DevOps engineer, General AWS

Task	Description	Skills required
Clone the repository.	In a bash shell, enter the following command. This clones the Ingest and analyze AWS Security Logs in Microsoft Sentinel repository. `git clone https://github.com/aws-samples/ingest-and-analyze-aws-security-logs-in-microsoft-sentinel.git`	DevOps engineer, General AWS
Assume the IAM role in the logging account.	In the logging account, assume the IAM role that has permissions to deploy the CloudFormation stack. For more information about assuming an IAM role in the AWS CLI, see Use an IAM role in the AWS CLI.	DevOps engineer, General AWS
Deploy the stack.	To deploy the CloudFormation stack enter the following command, where: `<Bucket name>` is the name of the logging Amazon S3 bucket. `<Sentinel external ID>` is the external ID of the Amazon S3 connector in Microsoft Sentinel. `<Email address>` is a valid email address where you want to receive notifications. `<Customer managed key ARN>` is the Amazon Resource Name (ARN) of the customer managed KMS key. Provide this parameter only if the logs are encrypted with a customer managed KMS key. `<Suffix>` is an optional parameter to avoid resource name conflicts. `<ARN for the OIDC provider>` is the ARN of the OIDC provider if it already exists. If you do not provide this parameter, CloudFormation creates the OIDC provider. Important If the AWS organization is monitored with Microsoft Code Defender, the OIDC provider for Microsoft has been already deployed. You must provide this parameter and the ARN of the existing provider. `aws cloudformation deploy --stack-name cloudtrail-sentinel-integration \ --no-fail-on-empty-changeset \ --template-file template.yml \ --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \ --parameter-overrides \ ControlTowerS3BucketName="<Bucket name>" \ AzureWorkspaceID="<Sentinel external ID>" \ EmailAddress="<Email address>" \ KMSKeyArn="<Customer managed key ARN>" \ Suffix="<Suffix to avoid name conflicts>" \ OIDCProviderArn="<ARN for the OIDC provider>"`	DevOps engineer, General AWS
Copy outputs.	From the output of the CloudFormation stack, copy the values for `SentinelRoleArn` and `SentinelSQS`. You use these values later to complete the configuration in Microsoft Sentinel.	DevOps engineer, General AWS
Modify the key policy.	If you aren't using a customer managed KMS key to encrypt the logs in the Amazon S3 bucket, you can skip this step. If the logs are encrypted with a customer managed KMS key, modify the key policy to grant Microsoft Sentinel permission to decrypt the logs. The following is an example key policy. This example policy allows cross-account access if the KMS key is in another AWS account. `{ "Version": "2012-10-17", "Id": "key-policy", "Statement": [ ... { "Sid": "Grant access to decrypt", "Effect": "Allow", "Principal": { "AWS": "<SentinelRoleArn>" }, "Action": "kms:Decrypt", "Resource": "<KeyArn>" } ] }`	DevOps engineer, General AWS

Task	Description	Skills required
Complete the configuration in Microsoft Sentinel.	In Microsoft Sentinel, choose Data connectors. From the data connectors gallery, choose Amazon Web Services S3. In the details pane for the connector, choose Open connector page. In the Configuration section, do the following: In Role to add, enter the `SentinelRoleArn` value that you copied. In SQS URL, enter the `SentinelSQS` value that you copied. In the Destination table list, choose `AWSCloudTrail`. Choose Add connection.	DevOps engineer
Send Amazon S3 event notifications to Amazon SQS.	Follow the instructions in Enabling and configuring event notifications using the Amazon S3 console to configure the Amazon S3 logging bucket to send event notifications to the Amazon SQS queue. If CloudTrail has been configured for the whole organization, logs in the this bucket have the prefix `<OrgID>/AWSLogs/<OrgID>/`, where `<OrgID>` is the organization ID. For more information, see Viewing details about your organization.	DevOps engineer, General AWS
Confirm that the logs are ingested.	Wait until the logs are ingested in Microsoft Sentinel. This can take several minutes. In Microsoft Sentinel, open the Amazon S3 Data Connector page, and then do the following: Confirm that the Amazon S3 Data Connector status is `Connected`. Check the data volume in the Data received graph. For more information about inspecting the data connector activity, see Data connector in the Microsoft documentation.	DevOps engineer

Task	Description	Skills required
Compare CloudWatch and Sentinel logs.	In the default configuration of AWS Control Tower, CloudTrail logs are sent to Amazon CloudWatch and stored in the AWS Control Tower management account. For more information, see Logging and monitoring in AWS Control Tower. Use the following steps to confirm that that logs are automatically ingested into Microsoft Sentinel: Open the CloudWatch console. In the navigation pane, choose Logs, and then choose Logs Insights. For Select log group(s), select the log group where the CloudTrail logs are stored, such as `aws-controltower/CloudTrailLogs`. In the query editor box, enter `fields eventID`. Choose Run query. Choose Export results, and then choose Copy table to clipboard (CSV). Paste the results to a text editor. Change the format of the output so that it can be used in a Microsoft Sentinel query. The following is an example that uses the Kusto Query Language: `AWSCloudTrail \| where AwsEventId in ( 'aa08b5fe-3bfb-391a-a14e-5fcebe14dab2', '9decd805-269c-451c-b75b-762f5dce59f9' )` In Microsoft Sentinel, open the Amazon S3 Data Connector page. Next to the Data received graph, choose Go to log analytics. In the query editor box, enter the query, and then choose Run. In Microsoft Sentinel and CloudWatch, verify that the number of entries is the same. Adapt the time range if needed.	DevOps engineer, General AWS

Related resources

AWS documentation and resources

AWS CLI Command Reference (AWS CLI documentation)
Optionally configure AWS KMS keys (AWS Control Tower documentation)
Encryption at rest in Amazon SQS (Amazon SQS documentation)
How do I keep mailing list recipients from unsubscribing everyone on the list from my Amazon SNS topic emails? (AWS Knowledge Center)

Microsoft documentation

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identify public S3 buckets in AWS Organizations

Manage IAM Identity Center permission sets using CodePipeline