Connect Data to Azure Sentinel Using Data Connectors

By Ashwin Venugopal -

 



Ingest Log Data with Data Connectors

You should connect your data sources with Azure Sentinel Connectors to collect the log data whose page displays a growing list of the connectors provided by Azure Sentinel, after selecting the Open connector page (the detailed connector page has a left and right blade). 

The information about the connector, the connector's status, and the last time a log was received if connected is provided by the left blade. Whereas the right tab has two tabs- Instructions and Next Steps. The instructions tab can be different based on the connector having Prerequisites and Configuration which can be followed to connect to the data source. The Next Steps tab offers a quick reference to workbooks, query samples, and analytical templates. Data connectors can only be disconnected/deactivated, not deleted.

Note- The connector does not install Workbooks and Analytical Templates as they are already available in the Sentinel environment for out of the box connectors.

Understand Data Connectors Providers

Microsoft 365 Defender

The alerts and data that has already been normalized as well as used in the Microsoft 365 Defender portal, are provided by the Microsoft 365 Defender and related data connectors which includes products like:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Cloud App Security   

Microsoft/Azure Services

The connectors for Microsoft and Azure-related services includes (but are not limited to):
  • Azure Active Directory- audit logs and sign-in logs
  • Azure Activity
  • Azure AD Identity Protection
  • Azure DDOS Protection
  • Azure Defender to IoT
  • Azure Information Protection
  • Azure Firewall
  • Azure Security Center- alerts from Azure Defender solutions
  • Azure Web Application Firewall (WAF)
  • Cloud App Security 
  • Domain name server
  • Office 365
  • Windows firewall
  • Security events

Vendor Connectors

Azure Sentinel provides an ever-growing list of vendor-specific data connectors that primarily use the CEF and Syslog connector. 

Custom Connectors Using the Log Analytics API

You can use the Log Analytics Data Collector API to send log data to the Azure Sentinel Log Analytics workspace.

Logstash plugin

You are able to send any log you want through Logstash directly to your Log Analytics workspace in Azure Sentinel with the help of Azure Sentinel's output plugin for the Logstash data collection engine. The logs are written to a custom table that can be defined using the output plugin.

CEF & Syslog Connector

The generic Common Event Format (CEF) or Syslog connector can be used if there is no vendor-provided connector which is known as an open event logging protocol that is common to Linux. Messages will be send by the Applications that may be stored on the local machine or delivered to a Syslog connector. Whereas CEF is an industry-standard format on top of Syslog messages, extensively used by many security vendors to allow event interoperability among different platforms.

Syslog vs. Common Event Format

CEF is always considered as a superior choice because the log data is parsed into predefined fields in the CommonSecurityLog table while Syslog always provides header fields, but its raw log message is stored in a field named Syslog Message in the Syslog table. You have to write a parser to extract the specific fields for the Syslog data to be queried. 

Connector architecture options

To connect the CEF or Syslog Collector to Azure Sentinel, the agent must deploy on a dedicated Azure VM or an on-premises system to support the appliance's communication with Azure Sentinel, automatically or manually. Automatic deployment is available only if your dedicated machine is a VM in Azure. Alternatively, you can  always manually deploy the agent on an existing Azure VM, on a VM in another cloud, or an on-premises machine.  

View Connected Hosts

The Data Connector page clearly shows the connectors that are connected and the amount of Windows as well as Linux hosts connected with the Log Analytics agent is available in the Log Analytics worksapce. To see your connected hosts you can do the following steps:

  • Select Settings
  • Workspace Setting (this will transfer you to Log Analytics)
  • In Log Analytics Settings area select Agents Management
  • There are two tabs to view- one for Windows other for Linux     










Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more