Defender for Cloud and Integration of Amazon Web Service Connector in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-3300073%22%20slang%3D%22en-US%22%3EDefender%20for%20Cloud%20and%20Integration%20of%20Amazon%20Web%20Service%20Connector%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300073%22%20slang%3D%22en-US%22%3E%3CP%3ESince%20we%20have%20an%20option%20in%20Defender%20for%20Cloud%20to%20add%20AWS%20environment.%20If%20we%20added%20those%20AWS%20accounts%20and%20In%20Sentinel%20if%20we%20have%20enabled%20the%20Microsoft%20Defender%20for%20Cloud%20data%20connector%2C%20is%20that%20will%20collect%20all%20the%20required%20logs%20from%20AWS%3F%3CBR%20%2F%3EOr%20did%20we%20need%20to%20enable%20%22Amazon%20Web%20Services%20S3%20(Preview)%22%20connector%20as%20well%20which%20includes%20the%20data%20types%20AWS%20Cloud%20Trail%20%2C%20VPC%20Flow%20Logs%20%26amp%3B%20AWS%20Guard%20Duty%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3300073%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Cloud%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3302242%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Cloud%20and%20Integration%20of%20Amazon%20Web%20Service%20Connector%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3302242%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1307291%22%20target%3D%22_blank%22%3E%40santhoshmohd%3C%2FA%3E%26nbsp%3BYes...%20Now%20imagine%20that%20you%20want%20to%20activate%20the%20protection%20of%20these%20resources%20as%20well%20(AWS)%20...%20Then%20you%20will%20have%20the%20EDR%20module%20and%20it%20will%20start%20reporting%20randsoware%20incidents%20as%20well%20in%20secitiy%20center%20(defender%20for%20Cloud)%20So%20you%20could%20see%20this%20incident%20too%20in%20Sentinel%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3301973%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Cloud%20and%20Integration%20of%20Amazon%20Web%20Service%20Connector%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3301973%22%20slang%3D%22en-US%22%3EThat%20means%20both%20can%20be%20used%20for%202%20different%20purposes.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3300162%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20for%20Cloud%20and%20Integration%20of%20Amazon%20Web%20Service%20Connector%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3300162%22%20slang%3D%22en-US%22%3EThe%20easiest%20way%20is%20that%20this%20conetor%20ingests%20data%20from%20AWS%20Security%20Hub%20which%20is%20the%20AWS%20CSPM.%20While%20sentinel's%20aws%20S3%20brings%20alerts%20from%20user%20audits%2C%20incidents%20and%20network%20level%20traffic%20(VPC).%3C%2FLINGO-BODY%3E
New Contributor

Since we have an option in Defender for Cloud to add AWS environment. If we added those AWS accounts and In Sentinel if we have enabled the Microsoft Defender for Cloud data connector, is that will collect all the required logs from AWS?
Or did we need to enable "Amazon Web Services S3 (Preview)" connector as well which includes the data types AWS Cloud Trail , VPC Flow Logs & AWS Guard Duty?

 

3 Replies
The easiest way is that this conetor ingests data from AWS Security Hub which is the AWS CSPM. While sentinel's aws S3 brings alerts from user audits, incidents and network level traffic (VPC).
That means both can be used for 2 different purposes.

@santhoshmohd Yes... Now imagine that you want to activate the protection of these resources as well (AWS) ... Then you will have the EDR module and it will start reporting randsoware incidents as well in secitiy center (defender for Cloud) So you could see this incident too in Sentinel