How to get aws cloudwatch alerts using the new sentinel AWS connector.

Iron Contributor

Hi there,

I'd like to collect AWS cloudwatch logs to Sentinel.

(I'm not much of an AWS user but I can get around.)

Here's what I'd like to do:

#1 - enable AWS Cloudtrail and dump Management logs to an S3 bucket - done

#2 - configure an SQS queue so Sentinel can pull events from AWS - done

#3 - configure Cloudwatch alerts to monitor specific events as recommended here:

https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html

#4 configure Cloudwatch to send alerts to the SQS queue so Sentinel can get them.

I think I've done #1 to #3 but I don't know how to do #4.

(the Sentinel connector side is done - that was the easy part..)

Has anyone configure AWS Cloudwatch to send alerts to Sentinel?


Your help is greatly appreciated.

Thanks.

4 Replies
I doubt anyone has done this already. Furthermore, the "Automatic setup" procedure is not working. It's really weird though that this connector is still in PREVIEW!

thanks @Clive_Watson 
Yes I've read that procedure several times but there's nothing in there about setting up the AWS site for Cloudwatch.
In fact if you follow that procedure it's very easy to accidentally log EVERYTHING from AWS Cloudtrail and cost you thousands of dollars per month.

yes @Javaripa , I also mentioned that to Microsoft but with no reply.
I don't mind the manual method, however it should be written to work with the CloudWatch best practices alerts and there's nothing in the Microsoft docs for that.