The Multi-Cloud Reality

Most modern enterprises operate in multi-cloud environments using Azure for core workloads and AWS for development, storage, or DevOps automation.
While this approach increases agility, it also expands the attack surface.

Each platform generates its own telemetry:

• Azure: Activity Logs, Defender for Cloud, Entra ID sign-ins, Sentinel analytics
• AWS: CloudTrail, GuardDuty, Config, and CloudWatch

Without a unified view, security teams struggle to detect cross-cloud threats promptly.

That’s where Microsoft Sentinel comes in, bridging Azure and AWS into a single, intelligent Security Operations Center (SOC).

Architecture Overview

Connect AWS Logs to Sentinel

AWS CloudTrail via S3 Connector

• Enable the AWS CloudTrail connector in Sentinel.
• Provide your S3 bucket and IAM role ARN with read access.
• Sentinel will automatically normalize logs into the AWSCloudTrail table.

AWS GuardDuty Connector

• Use the AWS GuardDuty API integration for threat detection telemetry.
• Detected threats, such as privilege escalation or reconnaissance, appear in Sentinel as the AWSGuardDuty table.

Normalize and Enrich Data

Once logs are flowing, enrich them to align with Azure activity data.

Example KQL for mapping CloudTrail to Sentinel entities:

AWSCloudTrail
| extend AccountId = tostring(parse_json(Resources)[0].accountId)
| extend User = tostring(parse_json(UserIdentity).userName)
| extend IPAddress = tostring(SourceIpAddress)
| project TimeGenerated, EventName, User, AccountId, IPAddress, AWSRegion

Then correlate AWS and Azure activities:

let AWS = AWSCloudTrail | summarize AWSActivity = count() by User, bin(TimeGenerated, 1h);
let Azure = AzureActivity | summarize AzureActivity = count() by Caller, bin(TimeGenerated, 1h);
AWS
| join kind=inner (Azure) on $left.User == $right.Caller
| where AWSActivity > 0 and AzureActivity > 0
| project TimeGenerated, User, AWSActivity, AzureActivity

Automate Cross-Cloud Response

Once incidents are correlated, Microsoft Sentinel Playbooks (Logic Apps) can automate your response:

Example Playbook: “CrossCloud-Containment.json”

• Disable user in Entra ID
• Send a command to the AWS API via Lambda to deactivate IAM key
• Notify SOC in Teams
• Create ServiceNow ticket
  
  

POST https://api.aws.amazon.com/iam/disable-access-key
PATCH https://graph.microsoft.com/v1.0/users/{user-id}
{
  "accountEnabled": false
}

Build a Multi-Cloud SOC Dashboard

Use Sentinel Workbooks to visualize unified operations:

Query 1 – CloudTrail Events by Region

AWSCloudTrail
| summarize Count = count() by AWSRegion
| render barchart

Query 2 – Unified Security Alerts

union SecurityAlert, AWSGuardDuty
| summarize TotalAlerts = count() by ProviderName, Severity
| render piechart

Scenario

Incident:
A compromised developer account accesses EC2 instances on AWS and then logs into Azure via the same IP.

Detection Flow:

• CloudTrail logs → Sentinel detects unusual API calls
• Entra ID sign-ins → Sentinel correlates IP and user
• Sentinel incident triggers playbook → disables user in Entra ID, suspends AWS IAM key, notifies SOC

Strengthen Governance with Defender for Cloud

Enable Microsoft Defender for Cloud to:

Monitor both Azure and AWS accounts from a single portal
Apply CIS benchmarks for AWS resources
Surface findings in Sentinel’s SecurityRecommendations table