Forum Discussion

rslakkappa's avatar
rslakkappa
Copper Contributor
Aug 05, 2021

Segregate AWS accounts in Azure Sentinel

Hi Team,

 

I am new to Azure sentinel, trying to explore sentinel features. I have already registered couple of AWS accounts in the sentinel and data is been ingesting from the time of connection.

 

I wanted to understand that, is it possible to view the data/logs with respect to individual AWS account in sentinel workbook. For example: If I go to "AWS Network Activities" workbook in the sentinel, is it possible to view the statistics with respect to individual account rather for all the registered accounts? and also Is there a way to group /segregate aws accounts in the sentinel so that we can have multiple groups with respect to the different environments and can view only particular accounts data ?

 

Please help me out in understanding this?

 

Thanks in advance...!

 

 

  • m_zorich's avatar
    m_zorich
    Aug 06, 2021
    No problems at all, so if you have called your parameter AWSAccountID for example, then in your other queries you add

    AWSCloudTrail
    | where UserIdentityAccountId == '{AWSAccountID}'

    Then the rest of your query, maybe try it out with a simple query like returning the count of the records to test it is changing as you would expected

    AWSCloudTrail
    | where UserIdentityAccountId == '{AWSAccountID}'
    | count
  • m_zorich's avatar
    m_zorich
    Iron Contributor
    Yep you can do that, you will need to save a copy of the workbook and edit it to make some changes. The best way is to make a dynamic drop down parameter which includes all your AWS Account numbers - https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-dropdowns#creating-a-dynamic-drop-down-parameter. If you write a kusto query that returns all your AWS account numbers, it will then make that a drop down list for you.

    Then you need to edit the queries in the workbook to reference that parameter so that when you select one particular account from your list, your queries will automatically update for you - https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-dropdowns#in-kql
    • rslakkappa's avatar
      rslakkappa
      Copper Contributor
      Thank you for the inputs m_zorich. With the help of above article I am able to create a new parameter and display individual AWS account ID's in the drop down button. could you please help me with referencing parameter value in the KQL. How should I pass the selected aws account ID from the dropdown to the KQL query so that it will give me the statistics with respect to only the selected account ID. Could you please help me with the sample query and the procedure?

      I have used below query to display aws account ID's in the dropdown parameter.

      AWSCloudTrail
      | distinct UserIdentityAccountId

      could you please help me with the next step. Thanks for your patience, please do not mind as I am very new to this.
      • m_zorich's avatar
        m_zorich
        Iron Contributor
        No problems at all, so if you have called your parameter AWSAccountID for example, then in your other queries you add

        AWSCloudTrail
        | where UserIdentityAccountId == '{AWSAccountID}'

        Then the rest of your query, maybe try it out with a simple query like returning the count of the records to test it is changing as you would expected

        AWSCloudTrail
        | where UserIdentityAccountId == '{AWSAccountID}'
        | count

Resources