SOLVED

AWS CloudTrail events missing

%3CLINGO-SUB%20id%3D%22lingo-sub-1359633%22%20slang%3D%22en-US%22%3EAWS%20CloudTrail%20events%20missing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1359633%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20connected%20our%20AWS%20to%20Sentinel%20and%20events%20are%20being%20ingested%20but%20there%20seem%20to%20be%20missing%20events%20that%20I%20can%20see%20in%20CloudTrail%20and%20not%20in%20Sentinel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnybody%20experienced%20this%20before%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1360148%22%20slang%3D%22en-US%22%3ERe%3A%20AWS%20CloudTrail%20events%20missing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360148%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F449184%22%20target%3D%22_blank%22%3E%40endakelly%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20have%20some%20examples%3F%26nbsp%3B%20That%20would%20help%20the%20team%20answer%20or%20track%20why%20they%20are%20missing.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1360590%22%20slang%3D%22en-US%22%3ERe%3A%20AWS%20CloudTrail%20events%20missing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360590%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BThink%20I've%20realised%20the%20problem.%20I've%20connected%20our%20org%20account%20to%20Sentinel%20and%20I%20assumed%20the%20logs%20from%20the%20sub-accounts%20would%20also%20flow%20in%20but%20you%20need%20to%20add%20the%20connector%20for%20each%20sub-account%20separately.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20bad%20%3AD%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1360651%22%20slang%3D%22en-US%22%3ERe%3A%20AWS%20CloudTrail%20events%20missing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1360651%22%20slang%3D%22en-US%22%3ENo%20problem%2C%20glad%20you%20sorted%20it%20%3B)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I've connected our AWS to Sentinel and events are being ingested but there seem to be missing events that I can see in CloudTrail and not in Sentinel.

 

Anybody experienced this before?

3 Replies
Highlighted

@endakelly

 

Do you have some examples?  That would help the team answer or track why they are missing.

Highlighted
Best Response confirmed by endakelly (Contributor)
Solution

@Clive Watson Think I've realised the problem. I've connected our org account to Sentinel and I assumed the logs from the sub-accounts would also flow in but you need to add the connector for each sub-account separately.

 

My bad :D

Highlighted
No problem, glad you sorted it ;)