Most of the deployment scenarios of Sentinel and the devices it collects events from are OnPrem, but lately there is a paradigm shift where organizations are moving to the public cloud like AWS and Office 365 where users deploy instances, services, etc. With the rise in cloud adoption it provides opportunity for Sentinel to read logs from the public cloud.
Sentinel uses connector plug-ins to read events from different devices, hence to support AWS and Office 365 we have implemented connector for reading logs from AWS and Office 365.
Reading logs from AWS:
AWS Stores logs in S3 as bucket.
User needs to authenticate and should have permission to access S3 bucket.
Appropriate REST APIs should be called to read buckets, read files underneath buckets, and then read contents of file. (logs)
Reading logs from Office 365:
User needs to authenticate to get access token.
Get the logs lists.
Get the contents of logs.
Users who use this plug-in need to come up with their own collector for parsing and normalize to Sentinel event.