During a recent customer conversation, a use case was brought up for sending REST API data to Azure Sentinel. This customer had several applications and services that only have a REST API available, so the out of the box Azure Sentinel connectors where not able to cover that. The design goal of the Azure Sentinel connectors is to connect data sources with a couple of clicks. This doesn’t mean that we stop there and that you cannot go beyond the available connectors.
Since Azure Sentinel is based on a workspace (formerly known as an OMS workspace), data can be sent to a workspace leveraging a couple of ways. The most known and common way is via the Microsoft Management Agent (MMA) which can collect a variety of data. Less known is the HTTP Data Collector API. This enables you to send any data to a workspace. As long as it is JSON formatted, it’s just a “HTTP POST” away.
Sending the data can be done using PowerShell, C#, Python and through a number of other options.
Another great option is using a Logic Apps Playbook, which I’ve demonstrated to the customer as a proof of concept and got received very well.
I’ve built a Logic App playbook leveraging a weather service called OpenWeatherMap. They have a free version you can test with.
Getting REST API data is pretty easy using Logic Apps. You add a trigger (like a schedule) and add a HTTP building block to your playbook. From the OpenWeatherMap website, can find how the API call is constructed and use that in the URI field of the HTTP building block:
After the API has returned the data, you can use it anywhere in your playbook. For sending it to the Azure Sentinel workspace we need to parse the data first. For this we leverage a Parse JSON building block:
For the schema, you click on the link “Use sample payload to generate schema” and paste in the body results of the API call into the schema section.
From there you can do whatever you want with the data. You can send it via email, post it on a website, or in our case, send it to the Azure Sentinel workspace.
To send it, you can leverage and configure the Azure Log Analytics building block:
After the playbook has run according your schedule, the data can be found in the Azure Sentinel workspace:
Now that the data is in the Azure Sentinel workspace, you can “join” it with any other data to do correlation, execute hunting queries or even build an analytics alert rule on top of it.
Let’s take our Azure Activity logs. This contains amongst others, sign-in information like location:
I can now “join” this information with my weather information which I’ve sent to the Azure Sentinel workspace by running a simple “join” query:
As you can see, it’s unfortunately not that great of a weather in the Netherlands currently (the value of “main_temp_d” is in Celsius).
With this blogpost I’ve demonstrated how you can send any REST API data to Azure Sentinel.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.