Forum Discussion

SocInABox's avatar
SocInABox
Iron Contributor
Sep 25, 2023

How to get aws cloudwatch alerts using the new sentinel AWS connector.

Hi there,

I'd like to collect AWS cloudwatch logs to Sentinel.

(I'm not much of an AWS user but I can get around.)

Here's what I'd like to do:

#1 - enable AWS Cloudtrail and dump Management logs to an S3 bucket - done

#2 - configure an SQS queue so Sentinel can pull events from AWS - done

#3 - configure Cloudwatch alerts to monitor specific events as recommended here:

https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html

#4 configure Cloudwatch to send alerts to the SQS queue so Sentinel can get them.

I think I've done #1 to #3 but I don't know how to do #4.

(the Sentinel connector side is done - that was the easy part..)

Has anyone configure AWS Cloudwatch to send alerts to Sentinel?


Your help is greatly appreciated.

Thanks.

    • SocInABox's avatar
      SocInABox
      Iron Contributor

      thanks Clive_Watson 
      Yes I've read that procedure several times but there's nothing in there about setting up the AWS site for Cloudwatch.
      In fact if you follow that procedure it's very easy to accidentally log EVERYTHING from AWS Cloudtrail and cost you thousands of dollars per month.

  • Javaripa's avatar
    Javaripa
    Brass Contributor
    I doubt anyone has done this already. Furthermore, the "Automatic setup" procedure is not working. It's really weird though that this connector is still in PREVIEW!
    • SocInABox's avatar
      SocInABox
      Iron Contributor

      yes Javaripa , I also mentioned that to Microsoft but with no reply.
      I don't mind the manual method, however it should be written to work with the CloudWatch best practices alerts and there's nothing in the Microsoft docs for that.

Share