Home

Everything Azure Sentinel connectors

%3CLINGO-SUB%20id%3D%22lingo-sub-866659%22%20slang%3D%22en-US%22%3EEverything%20Azure%20Sentinel%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-866659%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EHi%20Everyone%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EI%20have%20finalized%20my%20blog%20series%20on%20ingesting%20data%20to%20Azure%20Sentinel%20and%20thought%20you%20might%20find%20a%20summary%20useful.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EEven%20if%20you%20don't%20find%20the%20event%2C%20or%20enrichment%2C%20source%20in%20one%20of%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-data-sources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3Ebuilt-in%20connectors%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%2C%20good%20chances%20that%20Sentinel%20does%20support%20it%2C%20and%20if%20not%2C%20Sentinel%20has%20a%20broad%20array%20of%20tools%20to%20create%20custom%20connectors.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EHere%20are%20the%20relevant%20blog%20posts%20to%20guide%20you%20to%20find%20your%20connector%20or%20develop%20a%20custom%20one%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Agent-Collecting-telemetry-from-on-prem-and-IaaS%2Fba-p%2F811760%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EUsing%20the%20agent%20to%20collect%20telemetry%20from%20on-prem%20and%20IaaS%20server%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FCollecting-Azure-PaaS-services-logs-in-Azure-Sentinel%2Fba-p%2F792669%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ECollecting%20Azure%20PaaS%20services%20logs%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FThe-Syslog-and-CEF-source-configuration-grand-list%2Fba-p%2F803891%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3EThe%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20class%3D%22_e75a791d-denali-editor-page-rtfLink%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Creating-Custom-Connectors%2Fba-p%2F864060%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3ECreating%20Custom%20Connectors%3C%2FSPAN%3E%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-preserver-spaces%3D%22true%22%3E~%20Ofer%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1241318%22%20slang%3D%22en-US%22%3ERe%3A%20Everything%20Azure%20Sentinel%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1241318%22%20slang%3D%22en-US%22%3E%3CP%3EDear%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%2C%3CBR%20%2F%3Ehow%20to%20monitor%20the%20status%20of%20Sentinel%20connectors%20(using%20KQL)%3F%20in%20the%20context%20of%20my%20problem%2C%20there%20are%20two%20types%20of%20connectors%26nbsp%3B%20(1)%20the%20ones%20with%20frequent%20data%20ingestion%20(e.g.%20Azure%20Activity%2C%20Azure%20Active%20Directory%2C%20Syslog)%26nbsp%3B%20and%20(2)%20the%20ones%20with%20eventual%20data%20ingestion%20(e.g.%26nbsp%3B%3CSPAN%3EMicrosoft%20Cloud%20App%20Security%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EAzure%20Advanced%20Threat%20Protection%2C%26nbsp%3BAzure%20Security%20Center%2C%26nbsp%3BMicrosoft%20Defender%20Advanced%20Threat%20Protection%20).%20For%20the%20first%20type%2C%20it%20is%20easy%20to%20monitor%20via%20anomaly%20behaviour%20functions.%20My%20struggle%20is%20with%20the%20second%20type.%20Do%20you%20have%20any%20idea%20on%20how%20can%20I%20address%20this%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1246553%22%20slang%3D%22en-US%22%3ERe%3A%20Everything%20Azure%20Sentinel%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1246553%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F584375%22%20target%3D%22_blank%22%3E%40jjsantanna%3C%2FA%3E%26nbsp%3B%3A%20there%20is%20no%20easy%20way%20to%20detect%20anomalies%20or%20issues%20in%20a%20phenomenon%20that%20has%20not%20predictability.%20Nothing%20specific%20to%20Azure%20Sentinel%20here.%20I%20think%20that%20alerting%20on%20a%20fixed%20schedule%20if%20no%20alert%20was%20generated%2C%20or%20creating%20a%20simulation%20alert%20on%20a%20fixed%20schedule%20(both%20are%20rather%20similar%20solutions)%2C%20might%20be%20a%20solution.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1246729%22%20slang%3D%22en-US%22%3ERe%3A%20Everything%20Azure%20Sentinel%20connectors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1246729%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20answer.%20unfortunately%2C%20I%20was%20expecting%20it.%20Still%2C%20how%20can%20an%20MSP%20guarantees%20to%20a%20client%20that%20those%20%22not%20predictable%22%20connectors%20are%20still%20%22on%22%3F%20The%20system%2FAzure%2FAzure%20Monitor%2FLog%20Analytics%2FSentinel%20should%20have%20something%20that%20we%20could%20check%20via%20PowerShell%2C%20don't%20you%20think%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

Hi Everyone,

 

I have finalized my blog series on ingesting data to Azure Sentinel and thought you might find a summary useful. 

 

Even if you don't find the event, or enrichment, source in one of the built-in connectors, good chances that Sentinel does support it, and if not, Sentinel has a broad array of tools to create custom connectors.

 

Here are the relevant blog posts to guide you to find your connector or develop a custom one:

 

~ Ofer

3 Replies
Highlighted

Dear @Ofer_Shezaf,
how to monitor the status of Sentinel connectors (using KQL)? in the context of my problem, there are two types of connectors  (1) the ones with frequent data ingestion (e.g. Azure Activity, Azure Active Directory, Syslog)  and (2) the ones with eventual data ingestion (e.g. Microsoft Cloud App Security, Azure Advanced Threat Protection, Azure Security Center, Microsoft Defender Advanced Threat Protection​). For the first type, it is easy to monitor via anomaly behaviour functions. My struggle is with the second type. Do you have any idea on how can I address this?

Thanks in advance.

Highlighted

@jjsantanna : there is no easy way to detect anomalies or issues in a phenomenon that has not predictability. Nothing specific to Azure Sentinel here. I think that alerting on a fixed schedule if no alert was generated, or creating a simulation alert on a fixed schedule (both are rather similar solutions), might be a solution.

Highlighted

@Ofer_Shezaf Thanks for your answer. unfortunately, I was expecting it. Still, how can an MSP guarantees to a client that those "not predictable" connectors are still "on"? The system/Azure/Azure Monitor/Log Analytics/Sentinel should have something that we could check via PowerShell, don't you think?