cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
LIVE
Find out more
SOLVED

Segregate AWS accounts in Azure Sentinel

rslakkappa
Copper Contributor

‎Aug 04 2021 10:17 PM

‎Aug 04 2021 10:17 PM

Segregate AWS accounts in Azure Sentinel

Hi Team,

 

I am new to Azure sentinel, trying to explore sentinel features. I have already registered couple of AWS accounts in the sentinel and data is been ingesting from the time of connection.

 

I wanted to understand that, is it possible to view the data/logs with respect to individual AWS account in sentinel workbook. For example: If I go to "AWS Network Activities" workbook in the sentinel, is it possible to view the statistics with respect to individual account rather for all the registered accounts? and also Is there a way to group /segregate aws accounts in the sentinel so that we can have multiple groups with respect to the different environments and can view only particular accounts data ?

 

Please help me out in understanding this?

 

Thanks in advance...!

 

 

753 Views
0 Likes
4 Replies
Reply
4 Replies
m_zorich

‎Aug 05 2021 03:54 AM

‎Aug 05 2021 03:54 AM

Re: Segregate AWS accounts in Azure Sentinel

Yep you can do that, you will need to save a copy of the workbook and edit it to make some changes. The best way is to make a dynamic drop down parameter which includes all your AWS Account numbers - https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-dropdowns#creating-a-dynami.... If you write a kusto query that returns all your AWS account numbers, it will then make that a drop down list for you.

Then you need to edit the queries in the workbook to reference that parameter so that when you select one particular account from your list, your queries will automatically update for you - https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-dropdowns#in-kql
0 Likes
Reply
rslakkappa

‎Aug 05 2021 11:37 PM

‎Aug 05 2021 11:37 PM

Re: Segregate AWS accounts in Azure Sentinel

Thank you for the inputs @m_zorich. With the help of above article I am able to create a new parameter and display individual AWS account ID's in the drop down button. could you please help me with referencing parameter value in the KQL. How should I pass the selected aws account ID from the dropdown to the KQL query so that it will give me the statistics with respect to only the selected account ID. Could you please help me with the sample query and the procedure?

I have used below query to display aws account ID's in the dropdown parameter.

AWSCloudTrail
| distinct UserIdentityAccountId

could you please help me with the next step. Thanks for your patience, please do not mind as I am very new to this.
0 Likes
Reply
best response confirmed by rslakkappa (Copper Contributor)
m_zorich

‎Aug 06 2021 12:46 AM

‎Aug 06 2021 12:46 AM

Solution

Re: Segregate AWS accounts in Azure Sentinel

No problems at all, so if you have called your parameter AWSAccountID for example, then in your other queries you add

AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'

Then the rest of your query, maybe try it out with a simple query like returning the count of the records to test it is changing as you would expected

AWSCloudTrail
| where UserIdentityAccountId == '{AWSAccountID}'
| count
1 Like
Reply
rslakkappa

‎Aug 10 2021 08:59 PM

‎Aug 10 2021 08:59 PM

Re: Segregate AWS accounts in Azure Sentinel

Thank you so much @m_zorich. It did solve my problem. Thank you for the quick response and guidance, appreciate it.. :)
0 Likes
Reply