By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudTrail events do not appear on Microsoft Sentinel

0

My organization is ingesting its CloudTrail logs into a Sentinel workspace. I recently updated our current LogTrail by adding S3 in the data events but when I performed some specific operations to test, like "CopyObject", they do not appear on Sentinel. We use the legacy connector and expected that we would be able to see such events

Topics
Management & GovernanceAWS Well-Architected Framework
Tags
AWS CloudTrailSecurity
Language
English
Nov
asked 6 months ago245 views
1 Answer
0

Here some ideas to dig for the root cause.

  • Make sure you update the AWS CloudTrail connector configuration in Azure Sentinel to account for these changes.
  • Ensure that S3 data events are enabled and configured in your CloudTrail settings.
  • Check if the specific "CopyObject" events are included in the CloudTrail logs you are sending to Azure Sentinel. These events might be categorized differently or may have specific attributes that need to be parsed and queried.
  • Check for any errors or issues related to log ingestion. You may need to troubleshoot and resolve any connectivity problems.
nitin babariya
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content