CloudTrail events do not appear on Microsoft Sentinel


My organization is ingesting its CloudTrail logs into a Sentinel workspace. I recently updated our current LogTrail by adding S3 in the data events but when I performed some specific operations to test, like "CopyObject", they do not appear on Sentinel. We use the legacy connector and expected that we would be able to see such events

gefragt vor 9 Monaten311 Aufrufe
1 Antwort

Here some ideas to dig for the root cause.

  • Make sure you update the AWS CloudTrail connector configuration in Azure Sentinel to account for these changes.
  • Ensure that S3 data events are enabled and configured in your CloudTrail settings.
  • Check if the specific "CopyObject" events are included in the CloudTrail logs you are sending to Azure Sentinel. These events might be categorized differently or may have specific attributes that need to be parsed and queried.
  • Check for any errors or issues related to log ingestion. You may need to troubleshoot and resolve any connectivity problems.
beantwortet vor 9 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen