Discussion about this post

User's avatar
SocInaBox's avatar

thanks for the ASR hunting query, that's a keeper.

Expand full comment
SocInaBox's avatar

Question: would you prioritize the Defender for Cloud Apps connector when monitoring AWS, or the Sentinel connector?

ref: https://learn.microsoft.com/en-us/defender-cloud-apps/protect-aws

I see the Defender for Cloud Apps connector monitors much of what I would need right out of the box without worrying that the AWS admin isn't sending me to much junk from Cloudtrail.

And the suggested policies for Sentinel > AWS connector seem a bit broad, do you have suggestions for say just collecting CloudTrail (more resource related - better security value) vs CloudWatch (more API related - noisy and less security value)?

I guess I'm looking for a best practices for AWS security logging to Sentinel/Defender. eg:

- Enable Defender for Cloud > AWS

- Enable Defender for Cloud Apps > AWS

- Enable Sentinel > AWS - for Cloudtrail

Secondary Considerations:

- Sentinel > AWS - for traffic - good for TI if there's in/outbound traffic

- Sentinel > AWS - Cloudwatch - for api activity - but can be very noisy/costly.

Expand full comment
2 more comments...

No posts