Forum Discussion
Solved
Segregate AWS accounts in Azure Sentinel
Hi Team, I am new to Azure sentinel, trying to explore sentinel features. I have already registered couple of AWS accounts in the sentinel and data is been ingesting from the time of connection. ...
- No problems at all, so if you have called your parameter AWSAccountID for example, then in your other queries you add
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
Then the rest of your query, maybe try it out with a simple query like returning the count of the records to test it is changing as you would expected
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
| count
Yep you can do that, you will need to save a copy of the workbook and edit it to make some changes. The best way is to make a dynamic drop down parameter which includes all your AWS Account numbers - https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-dropdowns#creating-a-dynamic-drop-down-parameter. If you write a kusto query that returns all your AWS account numbers, it will then make that a drop down list for you.
Then you need to edit the queries in the workbook to reference that parameter so that when you select one particular account from your list, your queries will automatically update for you - https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-dropdowns#in-kql
Then you need to edit the queries in the workbook to reference that parameter so that when you select one particular account from your list, your queries will automatically update for you - https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-dropdowns#in-kql
Thank you for the inputs m_zorich. With the help of above article I am able to create a new parameter and display individual AWS account ID's in the drop down button. could you please help me with referencing parameter value in the KQL. How should I pass the selected aws account ID from the dropdown to the KQL query so that it will give me the statistics with respect to only the selected account ID. Could you please help me with the sample query and the procedure?
I have used below query to display aws account ID's in the dropdown parameter.
AWSCloudTrail
| distinct UserIdentityAccountId
could you please help me with the next step. Thanks for your patience, please do not mind as I am very new to this.
I have used below query to display aws account ID's in the dropdown parameter.
AWSCloudTrail
| distinct UserIdentityAccountId
could you please help me with the next step. Thanks for your patience, please do not mind as I am very new to this.
- No problems at all, so if you have called your parameter AWSAccountID for example, then in your other queries you add
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
Then the rest of your query, maybe try it out with a simple query like returning the count of the records to test it is changing as you would expected
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
| count- Thank you so much m_zorich. It did solve my problem. Thank you for the quick response and guidance, appreciate it.. 🙂
