AWS ELB Connector: Public Preview CCF Ingestion for ALB, NLB, and GLB Logs

What Changed

New CCF-based data connector solution for AWS Elastic Load Balancing services, enabling ingestion of access logs and flow logs from Application Load Balancers (ALB), Network Load Balancers (NLB), and Gateway Load Balancers (GLB).

Data Source

AWS Elastic Load Balancing Services:

• ALB access logs → AWSALBAccessLogs table
• NLB access logs → AWSNLBAccessLogs table
• NLB/GLB flow logs → AWSELBFlowLogs table (LogType field distinguishes source)

Ingestion Mechanism

CCF/DCR-based connector using S3 bucket ingestion with SQS notifications:

• Four separate SQS queues for different log types
• OIDC-based IAM role authentication
• Custom DCR streams: Microsoft-AWSALBAccessLogs, Microsoft-AWSNLBAccessLogs, Microsoft-AWSNLBFlowLogsStream, Microsoft-AWSGLBFlowLogsStream
• CloudFormation templates provided for automated AWS resource provisioning

Detection Surface Unlocked

Network visibility gains:

• Load balancer request/response analysis for web application security
• Network flow monitoring for east-west traffic inspection
• Backend target health and connection patterns
• Potential detection of load balancer abuse, DDoS patterns, and suspicious connection flows

Bundled Content:

• 3 parsers: AWSALBAccessLogsData, AWSNLBAccessLogsData, AWSELBFlowLogsData
• Sample queries for basic log exploration
• Custom table definitions for KQL validation testing

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/AWSALBAccessLogs.json
.script/tests/KqlvalidationsTests/CustomTables/AWSALBAccessLogs_CL.json
.script/tests/KqlvalidationsTests/CustomTables/AWSELBFlowLogs.json
.script/tests/KqlvalidationsTests/CustomTables/AWSELBFlowLogs_CL.json
.script/tests/KqlvalidationsTests/CustomTables/AWSNLBAccessLogs.json
.script/tests/KqlvalidationsTests/CustomTables/AWSNLBAccessLogs_CL.json
Solutions/AWS ELB/Data Connectors/AWSELBConnector_CCF/AWSELBConnector_ConnectorDefinition.json
Solutions/AWS ELB/Data Connectors/AWSELBConnector_CCF/AWSELBConnector_DCR.json
Solutions/AWS ELB/Data Connectors/AWSELBConnector_CCF/AWSELBConnector_PollingConfig.json
Solutions/AWS ELB/Data Connectors/CloudFormationTemplates/AWSS3ELB.json
Solutions/AWS ELB/Data Connectors/CloudFormationTemplates/OIDCWebIdProvider.json
Solutions/AWS ELB/Data Connectors/CloudFormationTemplates/README.md
Solutions/AWS ELB/Package/testParameters.json
Solutions/AWS ELB/Parsers/AWSALBAccessLogsData.yaml
Solutions/AWS ELB/Parsers/AWSELBFlowLogsData.yaml
Solutions/AWS ELB/Parsers/AWSNLBAccessLogsData.yaml
Tools/Create-Azure-Sentinel-Solution/common/createCCPConnector.ps1
Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AWSELB.json, createUiDefinition.json, mainTemplate.json)