-
Notifications
You must be signed in to change notification settings - Fork 21.4k
/
cloudwatch-lambda-function.yml
75 lines (65 loc) · 4.39 KB
/
cloudwatch-lambda-function.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
### YamlMime:HowTo
metadata:
title: Ingest CloudWatch logs to Microsoft Sentinel - create a Lambda function to send CloudWatch events to S3 bucket
description: In this article, you create a Lambda function to send CloudWatch events to an S3 bucket.
author: limwainstein
ms.author: lwainstein
ms.date: 02/09/2023
ms.service: microsoft-sentinel
ms.topic: how-to
ms.custom:
- ge-structured-content-pilot
#Customer intent: As a security operator, I want to create a Lambda function to send CloudWatch events to S3 bucket so I can convert the format to the format accepted by Microsoft Sentinel.
title: |
Create a Lambda function to send CloudWatch events to an S3 bucket
introduction: |
In some cases, your CloudWatch logs may not match the format accepted by Microsoft Sentinel - .csv file in a GZIP format without a header. In this article, you use a **lambda function** ([view the source code](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/CloudWatchLambdaFunction.py)) within the Amazon Web Services (AWS) environment to send [CloudWatch events to an S3 bucket](connect-aws.md), and convert the format to the accepted format.
procedureSection:
- title: |
Create the lambda function
summary: |
The lambda function uses Python 3.9 runtime and x86_64 architecture.
steps:
- |
In the AWS Management Console, select the lambda service.
- |
Select **Create function**.
:::image type="content" source="media/cloudwatch-lambda-function/lambda-basic-information.png" alt-text="Screenshot of the AWS Management Console Basic information screen." lightbox="media/cloudwatch-lambda-function/lambda-basic-information.png":::
- |
Type a name for the function and select **Python 3.9** as the runtime and **x86_64** as the architecture.
- |
Select **Create function**.
- |
Under **Choose a layer**, select a layer and select **Add**.
:::image type="content" source="media/cloudwatch-lambda-function/lambda-add-layer.png" alt-text="Screenshot of the AWS Management Console Add layer screen." lightbox="media/cloudwatch-lambda-function/lambda-add-layer.png":::
- |
Select **Permissions**, and under **Execution role**, select **Role name**.
- |
Under **Permissions policies**, select **Add permissions** > **Attach policies**.
:::image type="content" source="media/cloudwatch-lambda-function/lambda-permissions.png" alt-text="Screenshot of the AWS Management Console Permissions tab." lightbox="media/cloudwatch-lambda-function/lambda-permissions.png":::
- |
Search for the *AmazonS3FullAccess* and *CloudWatchLogsReadOnlyAccess* policies and attach them.
:::image type="content" source="media/cloudwatch-lambda-function/lambda-other-permissions-policies.png" alt-text="Screenshot of the AWS Management Console Add permissions policies screen." lightbox="media/cloudwatch-lambda-function/lambda-other-permissions-policies.png":::
- |
Return to the function, select **Code**, and paste the code link under **Code source**.
- |
The default values for the parameters are set using environment variables. If necessary, you can manually adjust these values directly in the code.
- |
Select **Deploy**, and then select **Test**.
- |
Create an event by filling in the required fields.
:::image type="content" source="media/cloudwatch-lambda-function/lambda-configure-test-event.png" alt-text="Screenshot of the AWS Management Configure test event screen." lightbox="media/cloudwatch-lambda-function/lambda-configure-test-event.png":::
- |
Select **Test** to see how the event appears in the S3 bucket.
relatedContent:
- text: Get visibility into your data, and potential threats
url: get-visibility.md
- text: Detect threats with Microsoft Sentinel
url: detect-threats-built-in.md
- text: Use workbooks
url: monitor-your-data.md
# Next steps
# In this document, you learned how to create a Lambda function to send CloudWatch events to an S3 bucket. To learn more about Microsoft Sentinel, see the following articles:
#- Learn how to [get visibility into your data, and potential threats](get-visibility.md).
#- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).
#- [Use workbooks](monitor-your-data.md) to monitor your data.