Forum Discussion
Solved
Segregate AWS accounts in Azure Sentinel
Hi Team, I am new to Azure sentinel, trying to explore sentinel features. I have already registered couple of AWS accounts in the sentinel and data is been ingesting from the time of connection. ...
- No problems at all, so if you have called your parameter AWSAccountID for example, then in your other queries you add
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
Then the rest of your query, maybe try it out with a simple query like returning the count of the records to test it is changing as you would expected
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
| count
Thank you for the inputs m_zorich. With the help of above article I am able to create a new parameter and display individual AWS account ID's in the drop down button. could you please help me with referencing parameter value in the KQL. How should I pass the selected aws account ID from the dropdown to the KQL query so that it will give me the statistics with respect to only the selected account ID. Could you please help me with the sample query and the procedure?
I have used below query to display aws account ID's in the dropdown parameter.
AWSCloudTrail
| distinct UserIdentityAccountId
could you please help me with the next step. Thanks for your patience, please do not mind as I am very new to this.
I have used below query to display aws account ID's in the dropdown parameter.
AWSCloudTrail
| distinct UserIdentityAccountId
could you please help me with the next step. Thanks for your patience, please do not mind as I am very new to this.
No problems at all, so if you have called your parameter AWSAccountID for example, then in your other queries you add
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
Then the rest of your query, maybe try it out with a simple query like returning the count of the records to test it is changing as you would expected
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
| count
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
Then the rest of your query, maybe try it out with a simple query like returning the count of the records to test it is changing as you would expected
AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
| count
- Thank you so much m_zorich. It did solve my problem. Thank you for the quick response and guidance, appreciate it.. 🙂
