AWS GuardDuty integration Issue with Sentinel

Question

Hi Support Team

I wanted to integrate GuardDuty with Sentinel, so I followed the instructions in this link my connector is connected successfully, but I am still not receiving any logs in the AWSGuardduty table in Sentinel. would you please someone tell me what the problem is in this case?

Answer 1

@Ali Salem Panah

Thank you for reaching out to us. After reviewing several cases internally regarding AWS GuardDuty integration with Sentinel, below are few steps to troubleshoot which you can try.

Permissions or Log Flow Issues: Verify if there are any permissions issues or if the GuardDuty log flow is limited. Ensure all necessary permissions are correctly configured.

Content Hub Updates: Check the Content Hub in Microsoft Sentinel for any updates to the AWS connector. If an update is available, install it and revalidate the integration.

SentinelHealth Table: Query the SentinelHealth table in your Log Analytics workspace to identify any errors related to the AWS connector.

Log Types in Sentinel: Confirm whether other log types, such as GuardDuty, CloudWatch, CloudTrail, or VPC Flow logs, are successfully being ingested into Sentinel. \

SQS Queue Configuration:

Ensure that an SQS queue is created for each data type (e.g., GuardDuty, CloudTrail, CloudWatch).

Verify that the SQS queue permissions and configurations align with the data ingestion requirements.

By following these steps, you can identify and address common integration issues effectively. Feel free to post back if you have any further questions.

Reference:

https://learn.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3
https://learn.microsoft.com/en-us/azure/sentinel/health-table-reference
https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-deploy?tabs=azure-portal
https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/AwsRequiredPolicies.md