I see the Defender for Cloud Apps connector monitors much of what I would need right out of the box without worrying that the AWS admin isn't sending me to much junk from Cloudtrail.
And the suggested policies for Sentinel > AWS connector seem a bit broad, do you have suggestions for say just collecting CloudTrail (more resource related - better security value) vs CloudWatch (more API related - noisy and less security value)?
I guess I'm looking for a best practices for AWS security logging to Sentinel/Defender. eg:
- Enable Defender for Cloud > AWS
- Enable Defender for Cloud Apps > AWS
- Enable Sentinel > AWS - for Cloudtrail
Secondary Considerations:
- Sentinel > AWS - for traffic - good for TI if there's in/outbound traffic
- Sentinel > AWS - Cloudwatch - for api activity - but can be very noisy/costly.
Defender for Cloud Apps is very much a mitigation tool, i.e., it produces alerts so you can take action and set policies.
Sentinel allows you to integrate those alerts with everything else in your environment. For example, something exposed in Defender for Cloud Apps may very well be related to some other occurrence in the environment that D4CA has no control over or able to interact with.
A SIEM is always a last mile tool to ensure nothing is missed.
I would actually recommend looking at Defender for Cloud (not Apps) for AWS. Defender for Cloud is going to compare AWS events with best security practices. Those alerts can also be sent to Sentinel.
Yes I agree D4C is a priority, but I don't think it will produce the threat detections that D4CA is doing in that link I shared. That's why it made me think it's a quick win for AWS security alerts to Sentinel w/o the ingestion costs.
thanks for the ASR hunting query, that's a keeper.
Question: would you prioritize the Defender for Cloud Apps connector when monitoring AWS, or the Sentinel connector?
ref: https://learn.microsoft.com/en-us/defender-cloud-apps/protect-aws
I see the Defender for Cloud Apps connector monitors much of what I would need right out of the box without worrying that the AWS admin isn't sending me to much junk from Cloudtrail.
And the suggested policies for Sentinel > AWS connector seem a bit broad, do you have suggestions for say just collecting CloudTrail (more resource related - better security value) vs CloudWatch (more API related - noisy and less security value)?
I guess I'm looking for a best practices for AWS security logging to Sentinel/Defender. eg:
- Enable Defender for Cloud > AWS
- Enable Defender for Cloud Apps > AWS
- Enable Sentinel > AWS - for Cloudtrail
Secondary Considerations:
- Sentinel > AWS - for traffic - good for TI if there's in/outbound traffic
- Sentinel > AWS - Cloudwatch - for api activity - but can be very noisy/costly.
Defender for Cloud Apps is very much a mitigation tool, i.e., it produces alerts so you can take action and set policies.
Sentinel allows you to integrate those alerts with everything else in your environment. For example, something exposed in Defender for Cloud Apps may very well be related to some other occurrence in the environment that D4CA has no control over or able to interact with.
A SIEM is always a last mile tool to ensure nothing is missed.
I would actually recommend looking at Defender for Cloud (not Apps) for AWS. Defender for Cloud is going to compare AWS events with best security practices. Those alerts can also be sent to Sentinel.
Yes I agree D4C is a priority, but I don't think it will produce the threat detections that D4CA is doing in that link I shared. That's why it made me think it's a quick win for AWS security alerts to Sentinel w/o the ingestion costs.