Hey everyone, I'm learning about the Azure environment to stream WorkOS Audit Log Events to our customers’ Microsoft Sentinel.
As a reference, our product has support for other SIEMs such as Splunk and Datadog. IT admins provide via our Dashboard, the credentials/value needed for our API to call their SIEM client and ingest logs.
The goal of this post is to get guidance on the solution with the best experience for IT admins that use Azure's Sentinel.
---
From what I understood, there are two options here:
- An IT admin configures a Log Analytics workspace: With all of the required pieces (data connection endpoint, data collection rule, custom table, etc) and sends all of those values so that WorkOS API can call Azure's client to ingest logs.
- An IT admin installs a data connector from WorkOS on the content hub: This would install a set of pieces (data connection rule, etc) according to the WorkOS logs schema, then the benefit of this is that the IT admin wouldn't have to create those manually and WorkOS would have the ownership to maintain it (I still need to validate if that's indeed the behavior here, refer to the questions below)
So far I believe the data connector approach provides the best experience. This is how I visualize the flow:
- IT admins install data connectors on their Azure's sentinel content hub
- Goes to WorkOS, provides us the credentials needed for our API to ingest logs to Azure
Am I visualizing the correct behavior on the Azure side? Would a data connector work for our integration case?
A couple of other questions to clarify the solution:
- What's the appropriate data connector type? I thought about the Rest API connector, to push logs to Sentinel as mentioned here - however, it seems that the API is deprecated
- After installing a data connector, what are the credentials/values that the IT admin would need to provide to WorkOS to ingest logs on their Azure workspace? Example: Client ID, secret, log ingestion endpoint, etc
