Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This stack integrates Microsoft Sentinel by creating an IAM role with minimal permissions for accessing S3 server access logs stored in a specified S3 bucket and sending log events to an SQS queue.
Table attributes
Attribute | Value |
---|---|
Resource types | - |
Categories | Security |
Solutions | SecurityInsights |
Basic log | Yes |
Ingestion-time transformation | No |
Sample Queries | - |
Columns
Column | Type | Description |
---|---|---|
AccessPointARN | string | The Amazon Resource Name (ARN) of the S3 access point used for the request, or '-' if not used. |
ACLRequired | string | Indicates if an ACL was required for the request: 'Yes' if required, '-' otherwise. |
AuthenticationType | string | The authentication type used: AuthHeader, QueryString, or '-' for unauthenticated requests. |
_BilledSize | real | The record size in bytes |
Bucket | string | The name of the S3 bucket against which the request was processed. |
BucketOwner | string | The canonical user ID of the owner of the source bucket (another form of AWS account ID). |
BytesSent | int | Number of response bytes sent, excluding HTTP overhead, or 0. |
CipherSuite | string | The TLS cipher suite negotiated for HTTPS, or '-' for HTTP. |
ErrorCode | string | The S3 error code returned in the response, or '-' if none. |
HostHeader | string | The endpoint (host header) used to connect to S3 (e.g., s3.us-west-2.amazonaws.com). |
HostId | string | Amazon S3 extended request ID (x-amz-id-2). |
HttpStatus | int | The HTTP status code returned in the response. |
_IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
Key | string | The object key (name) involved in the request. |
ObjectSize | int | The size of the object in bytes. |
Operation | string | The operation type (e.g., REST.PUT.OBJECT, S3.LIFECYCLETRANSITION.OBJECT). |
Referer | string | The value of the HTTP Referer header (linking page URL), if present. |
RemoteIp | string | The apparent IP address of the requester (may be obscured by proxies or firewalls). |
Requester | string | The canonical user ID, IAM user, or assumed role making the request, or '-' for unauthenticated. |
RequestId | string | A unique string ID generated by Amazon S3 to identify the request. |
RequestUri | string | The URI part of the HTTP request. |
SignatureVersion | string | The signature version (SigV2 or SigV4) used to authenticate the request, or '-' for unauthenticated. |
SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
TenantId | string | The Log Analytics workspace ID |
TimeGenerated | datetime | The time the AWS Server Access log was received by the S3 bucket, in UTC. |
TLSVersion | string | The TLS version used by the client (e.g., TLSv1.2), or '-' if TLS wasn't used. |
TotalTime | int | The total time in milliseconds the request was in flight (from receipt to last response byte sent). |
TurnAroundTime | string | The time in milliseconds S3 spent processing the request (from last request byte to first response byte). |
Type | string | The name of the table |
UserAgent | string | The value of the HTTP User-Agent header (e.g., client software or browser). |
VersionId | string | The version ID of the object involved in the request, or '-' if not applicable. |