Edit

Share via


AWSS3ServerAccess

This stack integrates Microsoft Sentinel by creating an IAM role with minimal permissions for accessing S3 server access logs stored in a specified S3 bucket and sending log events to an SQS queue.

Table attributes

Attribute Value
Resource types -
Categories Security
Solutions SecurityInsights
Basic log Yes
Ingestion-time transformation No
Sample Queries -

Columns

Column Type Description
AccessPointARN string The Amazon Resource Name (ARN) of the S3 access point used for the request, or '-' if not used.
ACLRequired string Indicates if an ACL was required for the request: 'Yes' if required, '-' otherwise.
AuthenticationType string The authentication type used: AuthHeader, QueryString, or '-' for unauthenticated requests.
_BilledSize real The record size in bytes
Bucket string The name of the S3 bucket against which the request was processed.
BucketOwner string The canonical user ID of the owner of the source bucket (another form of AWS account ID).
BytesSent int Number of response bytes sent, excluding HTTP overhead, or 0.
CipherSuite string The TLS cipher suite negotiated for HTTPS, or '-' for HTTP.
ErrorCode string The S3 error code returned in the response, or '-' if none.
HostHeader string The endpoint (host header) used to connect to S3 (e.g., s3.us-west-2.amazonaws.com).
HostId string Amazon S3 extended request ID (x-amz-id-2).
HttpStatus int The HTTP status code returned in the response.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Key string The object key (name) involved in the request.
ObjectSize int The size of the object in bytes.
Operation string The operation type (e.g., REST.PUT.OBJECT, S3.LIFECYCLETRANSITION.OBJECT).
Referer string The value of the HTTP Referer header (linking page URL), if present.
RemoteIp string The apparent IP address of the requester (may be obscured by proxies or firewalls).
Requester string The canonical user ID, IAM user, or assumed role making the request, or '-' for unauthenticated.
RequestId string A unique string ID generated by Amazon S3 to identify the request.
RequestUri string The URI part of the HTTP request.
SignatureVersion string The signature version (SigV2 or SigV4) used to authenticate the request, or '-' for unauthenticated.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId string The Log Analytics workspace ID
TimeGenerated datetime The time the AWS Server Access log was received by the S3 bucket, in UTC.
TLSVersion string The TLS version used by the client (e.g., TLSv1.2), or '-' if TLS wasn't used.
TotalTime int The total time in milliseconds the request was in flight (from receipt to last response byte sent).
TurnAroundTime string The time in milliseconds S3 spent processing the request (from last request byte to first response byte).
Type string The name of the table
UserAgent string The value of the HTTP User-Agent header (e.g., client software or browser).
VersionId string The version ID of the object involved in the request, or '-' if not applicable.