Azure
Azure Sentinel Config Aws S3 Data Connector Scripts Not Working on the Event Notification creation.
When running the "ConfigAWSConnector.ps1" script in Powershell, it all works well up until the creation of the Event Notification, which fails with the following error:
System.Management.Automation.RemoteException Error parsing parameter '--notification-configuration': Invalid JSON: Expecting property name enclosed in double quotes: line 1 column 2 (char 1) JSON received: {QueueConfigurations:[{Filter:{Key:{FilterRules:[{Value:AWSEventLogging/#####/CloudTrail/,Name:prefix},{Value:.gz,Name:suffix}]}},Events:[s3:ObjectCreated:],QueueArn:arn:aws:sqs:eu-west-1:#####:eu-aws-sentinel-logging,Id:AWSEventLogging},{Id:AWS event notification,QueueArn:arn:aws:sqs:eu-west-1:#####:#####,Events:[s3:ObjectCreated:],Filter:{Key:{FilterRules:[{Name:Prefix,Value:AWSLogs/#####/CloudTrail/},{Name:Suffix,Value:.gz}]}}},{Id:AWS Event Notifications,QueueArn:arn:aws:sqs:eu-west-1:#####:#####,Events:[s3:ObjectCreated:*],Filter:{Key:{FilterRules:[{Name:Prefix,Value:AWSEventLogs/#####/CloudTrail/},{Name:Suffix,Value:.gz}]}}}]}
JSON received: {QueueConfigurations:[{Filter:{Key:{FilterRules:[{Value:AWSEventLogging/403091056869/CloudTrail/,Name:prefix},{Value:.gz,Name:suffix}]}},Events:[s3:ObjectCreated:],QueueArn:arn:aws:sqs:eu-west-1:#####:#####,Id:AWSEventLogging},{Id:AWS event notification,QueueArn:arn:aws:sqs:eu-west-1:#####:#####-logging,Events:[s3:ObjectCreated:],Filter:{Key:{FilterRules:[{Name:Prefix,Value:AWSLogs/#####/CloudTrail/},{Name:Suffix,Value:.gz}]}}},{Id:AWS Event Notifications,QueueArn:arn:aws:sqs:eu-west-1:#####:#####,Events:[s3:ObjectCreated:*],Filter:{Key:{FilterRules:[{Name:Prefix,Value:AWSEventLogs/#####/CloudTrail/},{Name:Suffix,Value:.gz}]}}}]}
Hello @rmansell757, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!
It appears that it's expecting Double Quotes on all the --tags entries but it's losing these when changing to JSON format.