May 08 2020
- last edited on
Dec 23 2021
Are you folks planning to add connectors for the following products some time soon.
Adding Connectors for Cisco Umbrella / Cisco Stealth Watch / and Cisco ISE
May 10 2020 12:36 PM
Cisco ISE would simply send the logs to they Sentinel syslog collector. There is no need for a dedicated connector, maybe just a parser in Sentinel. As far as I know they don't know "CEF" so they will arrive in the Syslog table and from there a parser can be built to extract data of interest.
Umbrella logs can be sent an AWS S3 bucket and from there downloaded locally. Once there, they can be sent to Sentinel. One can also deploy a Sentinel playbook to retrieve the data of interest at regular intervals through their REST API (https://docs.umbrella.com/umbrella-api/docs/list-of-apis). The later would by my preferred method.
Stealthwatch again has an API that can be used.
I agree that it would be nice to have the API integration already done by Microsoft. However, there are quite a few products that are probably on the "roadmap" and unless their release is imminent, one can invest the time to build the API-based log collector that can be reused for practially any platform that exposes a REST API.
May 11 2020 03:16 AM
FYI, Nathan wrote a piece on Umbrella last year: https://www.linkedin.com/pulse/curious-case-saas-3rd-party-azure-sentinel-nathan-swift/