Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Segregate AWS accounts in Azure Sentinel

Copper Contributor

Hi Team,


I am new to Azure sentinel, trying to explore sentinel features. I have already registered couple of AWS accounts in the sentinel and data is been ingesting from the time of connection.


I wanted to understand that, is it possible to view the data/logs with respect to individual AWS account in sentinel workbook. For example: If I go to "AWS Network Activities" workbook in the sentinel, is it possible to view the statistics with respect to individual account rather for all the registered accounts? and also Is there a way to group /segregate aws accounts in the sentinel so that we can have multiple groups with respect to the different environments and can view only particular accounts data ?


Please help me out in understanding this?


Thanks in advance...!



4 Replies
Yep you can do that, you will need to save a copy of the workbook and edit it to make some changes. The best way is to make a dynamic drop down parameter which includes all your AWS Account numbers - If you write a kusto query that returns all your AWS account numbers, it will then make that a drop down list for you.

Then you need to edit the queries in the workbook to reference that parameter so that when you select one particular account from your list, your queries will automatically update for you -
Thank you for the inputs @m_zorich. With the help of above article I am able to create a new parameter and display individual AWS account ID's in the drop down button. could you please help me with referencing parameter value in the KQL. How should I pass the selected aws account ID from the dropdown to the KQL query so that it will give me the statistics with respect to only the selected account ID. Could you please help me with the sample query and the procedure?

I have used below query to display aws account ID's in the dropdown parameter.

| distinct UserIdentityAccountId

could you please help me with the next step. Thanks for your patience, please do not mind as I am very new to this.
best response confirmed by rslakkappa (Copper Contributor)
No problems at all, so if you have called your parameter AWSAccountID for example, then in your other queries you add

| where UserIdentityAccountId == '{AWSAccountID}'

Then the rest of your query, maybe try it out with a simple query like returning the count of the records to test it is changing as you would expected

| where UserIdentityAccountId == '{AWSAccountID}'
| count
Thank you so much @m_zorich. It did solve my problem. Thank you for the quick response and guidance, appreciate it.. :)