Create a Lambda function to send CloudWatch events to an S3 bucket

In some cases, your CloudWatch logs may not match the format accepted by Microsoft Sentinel - .csv file in a GZIP format without a header. In this article, you use a lambda function (view the source code) within the Amazon Web Services (AWS) environment to send CloudWatch events to an S3 bucket, and convert the format to the accepted format.

Prerequisites

None

Create the lambda function

The lambda function uses Python 3.9 runtime and x86_64 architecture.

  1. In the AWS Management Console, select the lambda service.

  2. Select Create function.

    Screenshot of the AWS Management Console Basic information screen.

  3. Type a name for the function and select Python 3.9 as the runtime and x86_64 as the architecture.

  4. Select Create function.

  5. Under Choose a layer, select a layer and select Add.

    Screenshot of the AWS Management Console Add layer screen.

  6. Select Permissions, and under Execution role, select Role name.

  7. Under Permissions policies, select Add permissions > Attach policies.

    Screenshot of the AWS Management Console Permissions tab.

  8. Search for the AmazonS3FullAccess and CloudWatchLogsReadOnlyAccess policies and attach them.

    Screenshot of the AWS Management Console Add permissions policies screen.

  9. Return to the function, select Code, and paste the code link under Code source.

  10. The default values for the parameters are set using environment variables. If necessary, you can manually adjust these values directly in the code.

  11. Select Deploy, and then select Test.

  12. Create an event by filling in the required fields.

    Screenshot of the AWS Management Configure test event screen.

  13. Select Test to see how the event appears in the S3 bucket.