The Challenge – When Security Systems Only Speak S3

Topaz HurvitzTopaz Hurvitz
7 min read

Author's Note: This post weaves technical truths with dramatized experiences. While the technical implementations are accurate, identifying details have been modified to maintain confidentiality.

It was 3 AM when my phone buzzed with that dreaded emergency alert. One of our critical applications had been compromised, but our security team couldn't piece together what happened. Why? Because our security logs were stuck in AWS S3, while our security operations team was watching Microsoft Sentinel. By the time we manually downloaded and analyzed the logs, the attacker had already done their damage.

What exactly was happening? Security events were being recorded in S3 storage, but Sentinel—our threat detection system—couldn't see them until someone manually transferred the data. This disconnect created a dangerous blind spot in our security monitoring, allowing the attacker to complete their mission before we could even begin analyzing what was happening.

That night changed everything. It kicked off a three-month journey to bridge our log gap, culminating in a solution that not only prevented future incidents but also earned me recognition as an "Emerging Security Architect." Today, I'm sharing that journey with you.

The Challenge: When Security Systems Only Speak S3

In today's security landscape, real-time insights aren't just nice to have—they're critical for survival. Yet many security systems still export logs exclusively to AWS S3, creating a dangerous gap when feeding these logs into Microsoft Sentinel. Without immediate access to this data, security teams miss crucial alerts, leading to delayed incident response and increased organizational risk.

Understanding the Key Components

AWS S3 (Simple Storage Service)

AWS S3 is Amazon's cloud storage service that works like a highly reliable, scalable digital filing cabinet for your data. In your security context, it's where your security tools initially store their logs and event data.

Security tools write logs to S3 as files (often in JSON, CSV, or plain text formats), but these logs remain passive until something retrieves them. This creates the "log gap" we're addressing in our solution.

Think of S3 as a secure mailbox where security systems drop their reports. However, these reports just sit there until someone physically checks the mailbox, which is what was happening with our 6-hour delay.

Microsoft Sentinel

Microsoft Sentinel is Azure's cloud-based security information and event management (SIEM) solution. It acts as your security team's central command center, collecting data from various sources to detect, investigate, and respond to threats.

Sentinel needs to ingest logs to analyze them for security incidents. The challenge highlighted in this post is that Sentinel doesn't natively check the "S3 mailbox" where your security logs are stored.

If S3 is the mailbox, Sentinel is the security analyst who needs to read those reports but doesn't have direct access to the mailbox. Our custom Python connector becomes the mail carrier that bridges this gap.

The Log Gap Challenge

The disconnect between where logs are stored (S3) and where they need to be analyzed (Sentinel) creates a security blind spot where threats can hide undetected.

As we experienced firsthand, this gap allowed an attacker to complete their attack before our team could analyze the logs, demonstrating the very real security risk this technical challenge presents.

The Current Landscape

Many security systems—ranging from firewalls and intrusion detection systems to custom applications—export logs solely to AWS S3. This creates several critical bottlenecks:

flowchart TD
    subgraph "Before Solution"
    A1[Security Tools] -->|Generate Logs| B1[AWS S3]
    B1 -->|Wait up to 6hrs| C1[Manual Download]
    C1 -->|Human Processing| D1[CSV/JSON Formatting]
    D1 -->|Manual Upload| E1[Microsoft Sentinel]
    E1 -->|Alert Analysis| F1[Security Response]
    end

    subgraph "After Solution"
    A2[Security Tools] -->|Generate Logs| B2[AWS S3]
    B2 -->|5min Automated Polling| C2[Python Connector]
    C2 -->|Format & Forward| E2[Microsoft Sentinel]
    E2 -->|Immediate Alert Analysis| F2[Rapid Security Response]
    end

    style C1 fill:#f96,stroke:#333
    style C2 fill:#9f6,stroke:#333

Before our custom solution, here's what we faced:

  • 6-hour average delay in log ingestion
  • 2 FTEs spent on manual log correlation
  • 45% increase in mean time to detect (MTTD) incidents
  • Multiple compliance findings from auditors about log monitoring gaps

Business & Compliance Drivers

The pressure to solve this challenge came from multiple directions:

  • Regulatory Requirements:
    • ISO 27001 A.12.4 (Logging and Monitoring): Requires timely review of security events
    • NIST 800-53 AU-6 (Audit Review, Analysis, and Reporting): Mandates automated collection and analysis of audit records
    • Israeli Privacy Protection Regulations (Sections 8, 11): Requires constant monitoring of systems containing personal data
    • GDPR Article 32 (Security of Processing): Demands regular testing and evaluation of security measures
  • Operational Efficiency: Manual log processing was consuming 25 hours/week of SOC team time—time that could be spent on active threat hunting and incident response
  • Financial Impact: Each hour of delay in detecting a breach costs organizations an average of $100,000 according to IBM's Cost of a Data Breach Report
  • Risk Management: Our delayed detection had already resulted in one significant security incident, demonstrating that this wasn't just a theoretical problem
graph TD
    A[Custom Python Connector Solution] --> B[ISO 27001 A.12.4]
    A --> C[NIST 800-53 AU-6]
    A --> D[Israeli Privacy Protection]
    A --> E[GDPR Article 32]

    style A fill:#9f6,stroke:#333

Our Vision: Bridging the Gap

Instead of pursuing vendor solutions that would cost us $80,000 annually plus additional consulting fees for integration, we envisioned a streamlined approach using Python—a language our team was already familiar with. The concept was simple but powerful:

  1. Create a small, efficient Python service that regularly checks S3 for new log files
  2. Process these logs automatically into the format Sentinel expects
  3. Forward them directly to Sentinel using Microsoft's official APIs
  4. Track what's been processed to avoid duplicates and ensure completeness

This straightforward approach would transform our security operations:

flowchart TD
    A[Security Tools] -->|Logs| B[AWS S3]
    B -->|5min Delay| C[Python Connector]
    C -->|Automated| D[Sentinel Import]
    style C fill:#9f6

This transformation would deliver:

  • Near real-time log ingestion (5-minute delay vs. 6 hours)
  • Automated processing without human intervention
  • Significant cost savings vs. commercial solutions
  • Improved compliance posture

Early Lessons from the Trenches

My mentor, a Principal Cloud Security Architect with 12+ years at Fortune 100 companies, taught me a crucial lesson early in this project: "Sometimes the best solution isn't the most expensive one—it's the one your team can maintain and evolve."

This wisdom shaped our approach in several practical ways:

  • We chose Python for its readability and because our team already had Python skills
  • We focused on AWS and Azure native APIs rather than third-party tools that might become obsolete
  • We designed for simplicity and maintainability over complex features
  • We documented extensively to ensure the solution could be maintained even if the original developers left

Impact Preview

Within the first month of deployment:

  • Log ingestion delay dropped from 6 hours to 5 minutes
  • Incident detection time improved by 65%
  • SOC team saved 25 hours/week in manual work
  • Zero missed security incidents due to log delays

The Road Ahead

In this series, we'll walk through the entire journey of building our custom Python connector. Here's what's coming:

  1. Architectural Overview: Deep dive into the solution design
  2. Technical Implementation: Step-by-step guide to building the connector
  3. Deployment & Operations: Making it production-ready
  4. Monitoring & Maintenance: Keeping the solution healthy

Curious about the code? While the detailed implementation will be covered in a future post, you can get a sneak peek at the project's structure and some of the core components in our public GitHub repository

Feel free to explore and contribute!

Your Turn

Have you faced similar challenges with log ingestion across cloud platforms? I'd love to hear your experiences:

  • What's your current log ingestion delay from security tools to your SIEM?
  • Have you built custom connectors or are you using commercial solutions?
  • What were the biggest challenges you faced in implementing real-time security monitoring?

Share your experiences in the comments below. What creative solutions have you implemented to bridge the gap between AWS and Azure?

This post is part of my "From AWS S3 to Microsoft Sentinel: Bridging the Log Gap" series, where I share real-world solutions from the trenches of a mid-scale enterprise. Follow along for more practical insights and career-building war stories.

0
Subscribe to my newsletter

Read articles from Topaz Hurvitz directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSAzuresentinelLogsS3PythonSecurityDevSecOpsintegrationCloudcloudsecurity

Written by

Topaz Hurvitz
Topaz Hurvitz