SOLVED

Linux Connectors - MCAS & Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-776798%22%20slang%3D%22en-US%22%3ELinux%20Connectors%20-%20MCAS%20%26amp%3B%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-776798%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20checking%20%E2%80%93%20as%20we%20are%20looking%20at%20trying%20to%20get%20more%20info%20feeding%20in%20to%20the%20solution%20and%20there%20is%20a%20Bluecoat%20Proxy%20%2B%20Cisco%20ASA%20transferring%20to%20Palo%20Alto.%3C%2FP%3E%3CP%3EAs%20there%20is%20no%20%E2%80%9Cconnector%E2%80%9D%20listed%20for%20Bluecoat%20in%20Sentinel%2C%20but%20there%20is%20one%20listed%20in%20MCAS%2C%20would%20it%20make%20sense%20to%20simply%20ingest%20the%20Bluecoat%20into%20MCAS%20and%20then%20have%20MCAS%20alerts%20feed%20into%20Sentinel%3F%3C%2FP%3E%3CP%3EWhile%20this%20might%20not%20be%20ideal%20that%20Sentinel%20does%20not%20have%20the%20raw%20data%2C%20at%20least%20it%20will%20have%20the%20Alerts%2C%20and%20by%20aggregating%20the%20data%20it%20will%20reduce%20the%20storage%20needs%20in%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20I%20be%20correct%20in%20thinking%20that%20it%E2%80%99s%20not%20possible%20to%20run%20a%20single%20Linux%20Connector%20that%20can%20run%20various%20tasks%20in%20a%20PoC%20scenario%3F%26nbsp%3BSo%20for%20the%20Cisco%20ASA%20%26amp%3B%20the%20Palo%20Alto%20we%E2%80%99d%20likely%20need%20two%20separate%20Linux%20Connectors%2C%20one%20for%20each%20task%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-776798%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-776971%22%20slang%3D%22en-US%22%3ERe%3A%20Linux%20Connectors%20-%20MCAS%20%26amp%3B%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-776971%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20plans%20on%20streaming%20MCAS%20Discovery%20data%20directly%20to%20Sentinel%20for%20investigation.%3C%2FP%3E%0A%3CP%3EIf%20you%20would%20like%20to%20get%20more%20details%2C%20please%20contact%26nbsp%3BDanny.Kadyshevitch%40microsoft.com%26nbsp%3Band%26nbsp%3BAdam.Zamri%40microsoft.com%20directly.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%2C%3C%2FP%3E%0A%3CP%3EBoris%20Kacevich%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-776978%22%20slang%3D%22en-US%22%3ERe%3A%20Linux%20Connectors%20-%20MCAS%20%26amp%3B%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-776978%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F255768%22%20target%3D%22_blank%22%3E%40Boris_Kacevich%3C%2FA%3E%26nbsp%3Bwill%20do.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787900%22%20slang%3D%22en-US%22%3ERe%3A%20Linux%20Connectors%20-%20MCAS%20%26amp%3B%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787900%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EYou%20may%20also%20connect%20Syslog%20data%20into%20Azure%20Sentinel%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-syslog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-syslog%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20case%20you%20have%20any%20questions%20regarding%20our%20plan%20on%20streaming%26nbsp%3B%3CSPAN%3EMCAS%20Discovery%20data%20directly%20to%20Azure%20Sentinel%2C%20feel%20free%20to%20reach%20out.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThanks%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAdam%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Just checking – as we are looking at trying to get more info feeding in to the solution and there is a Bluecoat Proxy + Cisco ASA transferring to Palo Alto.

As there is no “connector” listed for Bluecoat in Sentinel, but there is one listed in MCAS, would it make sense to simply ingest the Bluecoat into MCAS and then have MCAS alerts feed into Sentinel?

While this might not be ideal that Sentinel does not have the raw data, at least it will have the Alerts, and by aggregating the data it will reduce the storage needs in Sentinel?

 

Would I be correct in thinking that it’s not possible to run a single Linux Connector that can run various tasks in a PoC scenario? So for the Cisco ASA & the Palo Alto we’d likely need two separate Linux Connectors, one for each task?

3 Replies
Highlighted
Best Response confirmed by David Caddick (Frequent Contributor)
Solution

Hi @David Caddick ,

 

We have plans on streaming MCAS Discovery data directly to Sentinel for investigation.

If you would like to get more details, please contact Danny.Kadyshevitch@microsoft.com and Adam.Zamri@microsoft.com directly.

 

Best,

Boris Kacevich

Highlighted

Thanks @Boris_Kacevich will do.

 

Highlighted

Hi @David Caddick ,

You may also connect Syslog data into Azure Sentinel: https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog

In case you have any questions regarding our plan on streaming MCAS Discovery data directly to Azure Sentinel, feel free to reach out.

Thanks,

Adam