Connect Data to Azure Sentinel Using Data Connectors

 



Ingest Log Data with Data Connectors

You should connect your data sources with Azure Sentinel Connectors to collect the log data whose page displays a growing list of the connectors provided by Azure Sentinel, after selecting the Open connector page (the detailed connector page has a left and right blade). 

The information about the connector, the connector's status, and the last time a log was received if connected is provided by the left blade. Whereas the right tab has two tabs- Instructions and Next Steps. The instructions tab can be different based on the connector having Prerequisites and Configuration which can be followed to connect to the data source. The Next Steps tab offers a quick reference to workbooks, query samples, and analytical templates. Data connectors can only be disconnected/deactivated, not deleted.

Note- The connector does not install Workbooks and Analytical Templates as they are already available in the Sentinel environment for out of the box connectors.

Understand Data Connectors Providers

Microsoft 365 Defender

The alerts and data that has already been normalized as well as used in the Microsoft 365 Defender portal, are provided by the Microsoft 365 Defender and related data connectors which includes products like:

  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365
  • Microsoft Cloud App Security   

Microsoft/Azure Services

The connectors for Microsoft and Azure-related services includes (but are not limited to):
  • Azure Active Directory- audit logs and sign-in logs
  • Azure Activity
  • Azure AD Identity Protection
  • Azure DDOS Protection
  • Azure Defender to IoT
  • Azure Information Protection
  • Azure Firewall
  • Azure Security Center- alerts from Azure Defender solutions
  • Azure Web Application Firewall (WAF)
  • Cloud App Security 
  • Domain name server
  • Office 365
  • Windows firewall
  • Security events

Vendor Connectors

Azure Sentinel provides an ever-growing list of vendor-specific data connectors that primarily use the CEF and Syslog connector. 

Custom Connectors Using the Log Analytics API

You can use the Log Analytics Data Collector API to send log data to the Azure Sentinel Log Analytics workspace.

Logstash plugin

You are able to send any log you want through Logstash directly to your Log Analytics workspace in Azure Sentinel with the help of Azure Sentinel's output plugin for the Logstash data collection engine. The logs are written to a custom table that can be defined using the output plugin.

CEF & Syslog Connector

The generic Common Event Format (CEF) or Syslog connector can be used if there is no vendor-provided connector which is known as an open event logging protocol that is common to Linux. Messages will be send by the Applications that may be stored on the local machine or delivered to a Syslog connector. Whereas CEF is an industry-standard format on top of Syslog messages, extensively used by many security vendors to allow event interoperability among different platforms.

Syslog vs. Common Event Format

CEF is always considered as a superior choice because the log data is parsed into predefined fields in the CommonSecurityLog table while Syslog always provides header fields, but its raw log message is stored in a field named Syslog Message in the Syslog table. You have to write a parser to extract the specific fields for the Syslog data to be queried. 

Connector architecture options

To connect the CEF or Syslog Collector to Azure Sentinel, the agent must deploy on a dedicated Azure VM or an on-premises system to support the appliance's communication with Azure Sentinel, automatically or manually. Automatic deployment is available only if your dedicated machine is a VM in Azure. Alternatively, you can  always manually deploy the agent on an existing Azure VM, on a VM in another cloud, or an on-premises machine.  

View Connected Hosts

The Data Connector page clearly shows the connectors that are connected and the amount of Windows as well as Linux hosts connected with the Log Analytics agent is available in the Log Analytics worksapce. To see your connected hosts you can do the following steps:

  • Select Settings
  • Workspace Setting (this will transfer you to Log Analytics)
  • In Log Analytics Settings area select Agents Management
  • There are two tabs to view- one for Windows other for Linux     










Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)