Sentinel
17 TopicsCreating a Custom Sentinel GCP WAF /Load balancer Data Connector
Understanding ARM Templates ARM templates are JSON files that define the resources needed for your applications. They allow for infrastructure as code, making deployment and management more efficient and consistent. By leveraging ARM templates, you can automate the creation and configuration of your Sentinel GCP data connector. Prerequisites Before proceeding, ensure you have: An active Azure subscription Admin access to both your Azure(Microsoft Sentinel Contributor permissions) and GCP accounts. Basic knowledge of JSON and ARM templates Create a custom table in Azure Sentinel Creating a Custom Table in Azure Sentinel For more information about the custom table creation experience, pleasesee the documentation. To create a custom table in Azure Sentinel: Navigate to the Azure Sentinel workspace in the Azure portal. Select Tables from the left-hand menu. Click on + Create to add a new table. Define the table schema according to the log data you plan to ingest. This includes fields such as timestamp, log level, source, and message. Save the table and ensure it is available for log ingestion. Step-by-Step Process 1. Setting Up Pub/Sub in GCP To start, you need to create a Pub/Sub topic and subscription in GCP: Navigate to the GCP console. Select Pub/Sub from the menu. Create a new topic and name it appropriately, such as `sentinel-logs`. Under the topic, create a subscription. This subscription will pull the logs from GCP and push them to Azure Sentinel. 2. Configuring Audit Log Streaming Next, configure GCP to stream audit logs to your Pub/Subtopic: Navigate to the Logging section in the GCP console. Select the desired audit logs you wish to export. Set the destination as your Pub/Subtopic. 3. Creating the ARM Template The ARM template will define the resources needed to connect GCP logs to Azure Sentinel. Use the attached template (in the last section), update the parameters based on the instructions given in the comment section (search word “Modify” to go to relevant parameters that needs to be modified) This template creates a linked service in Azure Sentinel that connects to the specified GCP Pub/Sub subscription. 4. Deploying the ARM Template Deploy the ARM template through the Azure portal or using Azure CLI: In the Azure portal, navigate to the 'Deploy a custom template' section. Click on Build your own template in the editor Delete existing content Paste the ARM template JSON file and fill in the required parameters. Click on save. Enter the resource group, workspace name and workspace location details. Click 'Review + Create' and then 'Create' to deploy the template. Once the template is deployed, you can search for the data connector Configure the Data connector Open the data connector page Click on Add new collector and enter the GCP account details then click connect. Verifying the Connection Once deployed, verify that logs are being ingested into Azure Sentinel: Check the Azure Sentinel workspace for incoming logs. Ensure that the logs from the specified GCP audit logs are appearing as expected. Troubleshoot any missing logs by reviewing Pub/Sub configurations and subscriptions. Advanced Configuration For advanced users, consider customizing the ARM template to ingest other types of logs or incorporate additional GCP services: Modify the Pub/Subtopic to include additional log sources. Create multiple linked services within the ARM template for different log types. Incorporate custom parsing and transformation rules within Azure Sentinel for GCP logs. Conclusion Building a custom Sentinel GCP data connector using an ARM template allows for more flexibility and control over the types of logs ingested from GCP. By following this guide, you can ensure that your cloud infrastructure is monitored comprehensively, enhancing your security posture and operational efficiency. We hope this guide empowers you to leverage the full potential of Azure Sentinel and GCP integration. Should you have any further questions or require assistance, please do not hesitate to reach out. ARM Template Content. Copy the below content and paste in a Notepad and Save it as JSON file. { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "author": "Microsoft", "comments": "Solution template for GCP WAF" }, "parameters": { "location": { "type": "string", "minLength": 1, "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" } }, "workspace-location": { "type": "string", "defaultValue": "", "metadata": { "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" } }, "workspace": { "defaultValue": "", "type": "string", "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, "resourceGroupName": { "type": "string", "defaultValue": "[resourceGroup().name]", "metadata": { "description": "resource group name where Microsoft Sentinel is setup" } }, "subscription": { "type": "string", "defaultValue": "[last(split(subscription().id, '/'))]", "metadata": { "description": "subscription id where Microsoft Sentinel is setup" } } }, "variables": { "_solutionName": "GCP WAF and Load Balancer", "_solutionVersion": "3.0.0", "solutionId": "azuresentinel.azure-sentinel-solution-id-api", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "dataConnectorCCPVersion": "1.0.0", "_dataConnectorContentIdConnectorDefinition1": "GCPDefinition", "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", "_dataConnectorContentIdConnections1": "GCPTemplateConnections", "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", "blanks": "[replace('b', 'b', '')]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", "displayName": "GCP WAF", "contentKind": "DataConnector", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorCCPVersion')]", "parameters": {}, "variables": {}, "resources": [ { "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", "apiVersion": "2022-09-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", "location": "[parameters('workspace-location')]", "kind": "Customizable", "properties": { "connectorUiConfig": { "id": "GCPDefinition", "title": "GCP WAF", "publisher": "companyname", // Modify to your user/company name "descriptionMarkdown": "GCP custom connector to ingest WAF and Load Balance logs", "graphQueriesTableName": "GCPWAFlogs_CL", // Modify to your table name, same as row 58 "graphQueries": [ { "metricName": "Total events received", "legend": "GCP WAF Events", "baseQuery": "{{graphQueriesTableName}}" } ], "sampleQueries": [ { "description": "Get Sample of logs", "query": "{{graphQueriesTableName}}\n | take 10" } ], "dataTypes": [ { "name": "{{graphQueriesTableName}}", "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ { "type": "HasDataConnectors", "value": null } ], "availability": { "status": 1, "isPreview": false }, "permissions": { "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", "permissionsDisplayText": "Read and Write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { "read": true, "write": true, "delete": true, "action": false } }, { "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", "providerDisplayName": "Keys", "scope": "Workspace", "requiredPermissions": { "read": false, "write": false, "delete": false, "action": true } } ] }, "instructionSteps": [ { "instructions": [ { "type": "Markdown", "parameters": { "content": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)." } }, { "type": "CopyableLabel", "parameters": { "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", "fillWith": [ "TenantId" ], "name": "PoolId", "disabled": true } }, { "type": "Markdown", "parameters": { "content": "#### 2. Connect new collectors \n To enable GCP for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." } }, { "type": "GCPGrid", "parameters": {} }, { "type": "GCPContextPane", "parameters": {} } ] } ], "isConnectivityCriteriasMatchSome": false } } }, { "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", "apiVersion": "2022-01-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", "kind": "DataConnector", "version": "[variables('dataConnectorCCPVersion')]", "source": { "sourceId": "[variables('_solutionId')]", "name": "[variables('_solutionName')]", "kind": "Solution" }, "author": { "name": "Microsoft" // Modify to your user/company name }, "support": { "name": "Companyname", // Modify to your user/company name "email": "support@microsoft.com", // Modify to your email "tier": "Partner", "link": "http://www.microsoft.com" // Modify to a support link }, "dependencies": { "criteria": [ { "version": "[variables('dataConnectorCCPVersion')]", "contentId": "[variables('_dataConnectorContentIdConnections1')]", "kind": "ResourcesDataConnector" } ] } } }, { "name": "GCPWAFDCR1", "apiVersion": "2022-06-01", "type": "Microsoft.Insights/dataCollectionRules", "location": "[parameters('workspace-location')]", "kind": "[variables('blanks')]", "properties": { "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]", "streamDeclarations": { "Custom-GCPWAF": { "columns": [ { "name": "insertId", "type": "string" }, { "name": "jsonPayload", "type": "string" }, { "name": "logName", "type": "string" }, { "name": "receiveTimestamp", "type": "string" }, { "name": "resource", "type": "string" }, { "name": "severity", "type": "string" }, { "name": "httpRequest", "type": "string" }, { "name": "spanId", "type": "string" }, { "name": "timestamp", "type": "string" } ] } }, "destinations": { "logAnalytics": [ { "workspaceResourceId": "[variables('workspaceResourceId')]", "name": "clv2ws1" } ] }, "dataFlows": [ { "streams": [ "Custom-GCPWAF" ], "destinations": [ "clv2ws1" ], "transformKql": "source | extend TimeGenerated = now()", "outputStream": "Custom-GCPWAFlogs_CL" } ] } }, { "name": "GCPWAFlogs_CL", "apiVersion": "2022-10-01", "type": "Microsoft.OperationalInsights/workspaces/tables", "location": "[parameters('workspace-location')]", "kind": null, "properties": { "schema": { "name": "GCPWAFlogs_CL", "columns": [ { "name": "insertId", "type": "string" }, { "name": "jsonPayload", "type": "string" }, { "name": "logName", "type": "string" }, { "name": "receiveTimestamp", "type": "string" }, { "name": "resource", "type": "string" }, { "name": "timestamp", "type": "string" }, { "name": "severity", "type": "string" }, { "name": "httpRequest", "type": "string" }, { "name": "spanId", "type": "string" }, { "name": "TimeGenerated", "type": "datetime" } ] } } } ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", "version": "[variables('dataConnectorCCPVersion')]" } }, { "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", "apiVersion": "2022-09-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", "location": "[parameters('workspace-location')]", "kind": "Customizable", "properties": { "connectorUiConfig": { "id": "GCPDefinition", "title": "GCP WAF", "publisher": "companyname", // Modify to your user/company name "descriptionMarkdown": "GCP custom connector to ingest WAF and Load Balance logs", "graphQueriesTableName": "GCPWAFlogs_CL", // Modify to your table name, same as row 58 "graphQueries": [ { "metricName": "Total events received", "legend": "GCP WAF Events", "baseQuery": "{{graphQueriesTableName}}" } ], "sampleQueries": [ { "description": "Get Sample of logs", "query": "{{graphQueriesTableName}}\n | take 10" } ], "dataTypes": [ { "name": "{{graphQueriesTableName}}", "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ { "type": "HasDataConnectors", "value": null } ], "availability": { "status": 1, "isPreview": false }, "permissions": { "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", "permissionsDisplayText": "Read and Write permissions are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { "read": true, "write": true, "delete": true, "action": false } }, { "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", "providerDisplayName": "Keys", "scope": "Workspace", "requiredPermissions": { "read": false, "write": false, "delete": false, "action": true } } ] }, "instructionSteps": [ { "instructions": [ { "type": "Markdown", "parameters": { "content": "#### 1. Set up your GCP environment \n You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider and service account with permissions to get and consume from subscription. \n Terraform provides API for the IAM that creates the resources. [Link to Terraform scripts](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GCP/Terraform/sentinel_resources_creation)." } }, { "type": "CopyableLabel", "parameters": { "label": "Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.", "fillWith": [ "TenantId" ], "name": "PoolId", "disabled": true } }, { "type": "Markdown", "parameters": { "content": "#### 2. Connect new collectors \n To enable GCP for Microsoft Sentinel, click the Add new collector button, fill the required information in the context pane and click on Connect." } }, { "type": "GCPGrid", "parameters": {} }, { "type": "GCPContextPane", "parameters": {} } ] } ], "isConnectivityCriteriasMatchSome": false } } }, { "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", "apiVersion": "2022-01-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", "kind": "DataConnector", "version": "[variables('dataConnectorCCPVersion')]", "source": { "sourceId": "[variables('_solutionId')]", "name": "[variables('_solutionName')]", "kind": "Solution" }, "author": { "name": "Microsoft" // Modify to your user/company name }, "support": { "name": "companyname", // Modify to your user/company name "email": "support@microsoft.com", // Modify to your email "tier": "Partner", "link": "http://www.microsoft.com" // Modify to a support link }, "dependencies": { "criteria": [ { "version": "[variables('dataConnectorCCPVersion')]", "contentId": "[variables('_dataConnectorContentIdConnections1')]", "kind": "ResourcesDataConnector" } ] } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { "contentId": "[variables('_dataConnectorContentIdConnections1')]", "displayName": "GCP WAF", "contentKind": "ResourcesDataConnector", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorCCPVersion')]", "parameters": { "GCPProjectId": { "type": "String", "minLength": 4 }, "GCPProjectNumber": { "type": "String", "minLength": 1 }, "GCPWorkloadIdentityProviderId": { "type": "String" }, "GCPServiceAccountEmail": { "type": "String", "minLength": 1 }, "GCPSubscriptionName": { "type": "String", "minLength": 3 }, "connectorDefinitionName": { "defaultValue": "connectorDefinitionName", "type": "string", "minLength": 1, "metadata": { "description": "connectorDefinitionName" } }, "workspace2": { "defaultValue": "[parameters('workspace')]", "type": "string" }, "dcrConfig": { "type": "object", "defaultValue": { "dataCollectionEndpoint": "data collection Endpoint", "dataCollectionRuleImmutableId": "data collection rule immutableId" } }, "guidValue": { "type": "string", "defaultValue": "[[newGuid()]" } }, "variables": { "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]" }, "resources": [ { "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", "apiVersion": "2022-01-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", "contentId": "[variables('_dataConnectorContentIdConnections1')]", "kind": "ResourcesDataConnector", "version": "[variables('dataConnectorCCPVersion')]", "source": { "sourceId": "[variables('_solutionId')]", "name": "[variables('_solutionName')]", "kind": "Solution" }, "author": { "name": "Microsoft" // Modify to your user/company name }, "support": { "name": "companyname", // Modify to your user/company name "email": "support@microsoft.com", // Modify to your email "tier": "Partner", "link": "http://www.microsoft.com" // Modify to a support link } } }, { "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'GCPDefinition')]", "apiVersion": "2023-02-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", "kind": "GCP", "properties": { "connectorDefinitionName": "GCPDefinition", "dataType": "GCPWAFlogs_CL", "dcrConfig": { "streamName": "Custom-GCPWAF", "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" }, "auth": { "serviceAccountEmail": "[[parameters('GCPServiceAccountEmail')]", "projectNumber": "[[parameters('GCPProjectNumber')]", "workloadIdentityProviderId": "[[parameters('GCPWorkloadIdentityProviderId')]" }, "request": { "projectId": "[[parameters('GCPProjectId')]", "subscriptionNames": [ "[[parameters('GCPSubscriptionName')]" ] } } } ] }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", "version": "[variables('dataConnectorCCPVersion')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { "version": "3.0.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "GCP WAF", "publisherDisplayName": "GCP WAF", "descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>\n<p>GCP custom connector to ingest WAF and Load Balance logs</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Ermes_Browser_Security_Logo.svg\" width=\"75px\" height=\"75px\">", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { "kind": "Solution", "name": "GCP WAF", "sourceId": "[variables('_solutionId')]" }, "author": { "name": "Microsoft" }, "support": { "name": "companyname", // Modify to your user/company name "email": "support@microsoft.com", // Modify to your email "tier": "Partner", "link": "http://www.microsoft.com" // Modify to a support link }, "dependencies": { "operator": "AND", "criteria": [ { "kind": "DataConnector", "contentId": "[variables('_dataConnectorContentIdConnections1')]", "version": "[variables('dataConnectorCCPVersion')]" } ] }, "firstPublishDate": "2023-09-29", "providers": [ "Microsoft" ], "categories": { "domains": [ "Security - Threat Protection" ] } }, "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" } ], "outputs": {} }AMA: Microsoft SIEM & XDR: unified security operations
At Microsoft Ignite we announced that we are bringing our Microsoft Sentinel and Microsoft Defender XDR products together to deliver an optimized and unified security operations experience. We are combining the full power of these products into a single portal enhanced with more comprehensive features, automation, guided experiences, and Microsoft Security Copilot. Bring your questions to this Ask Microsoft Anything (AMA) as members of our Microsoft Security engineering team bring clarity and insights about this new experience. This session is part of the Microsoft Security Tech Accelerator. RSVP for event reminders, add it to your calendar, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event.TLS for Sentinel Syslog CEF Data connector(Secure Transfer of logs to Sentinel Log analytics workspa
Sentinel Data connector Syslog CEF is a feature that allows you to collect data from various sources using the Common Event Format (CEF) or Syslog protocols and send it to Azure Sentinel, a cloud-native security information and event management (SIEM) solution. By using this connector, you can integrate your existing security tools and devices with Sentinel and gain more visibility and insights into your network and security events. Ingest syslog and CEF messages to Microsoft Sentinel - AMA | Microsoft Learn The connection using this method happens over TCP/UDP 514 which is in plain text. However, some sources may require a secure connection to transmit data using Syslog over TLS (Transport Layer Security). This ensures that the data is encrypted and authenticated between the sender and the receiver. In this article, we will show you how to configure TLS for Syslog on a Linux machine and connect it to Azure Sentinel using the Sentinel Data connector for CEF.RecipientEmailAddress but recipient information BEFORE DL expansion
I'm trying to get a list of the top email recipients in our environment using the EmailEvents table andRecipientEmailAddress in Defender 365/Sentinel. But, as the schema says, RecipientEmailAddress is the "address of the recipient, or email address of the recipient after distribution list expansion" How can I query on recipient info before DL expansion?686Views0likes1CommentI don't understand the ability to connect Ueba to multiple data sources.
Hello, I have connected UEBA in my environment, but I don't understand what it offers to connect the log sources of Audit Logs, Azure Activity, Security Events and Login Logs. According to UEBA, it collects alert information from other connectors such as Microsoft Defender for Endpoint, bookmarks or activities to generate these user behaviour profiles, so I don't understand why connect the aforementioned data sources? That added value where can you see it? Regards.727Views0likes1CommentKQL: setting query time leads to problem in watchlist column projecting
Hello to the community! I have stumbled upon a very strange issue when using watchlists. I have a watchlist with 2 columns (userPrincipalName,allowedActivity) that I am then using to whitelist activities. Watchlist is imported using: let WhitelistedUsers = _GetWatchlist("testQuery") | project userPrincipalName, allowedActivity; Then I wanted to set it to a specific time frame to test it on given data set: set query_now = datetime("1/14/2022, 1:45:46.556 PM"); Problem is that when setting my query for a specific time, I get the following error from the watchlist: 'project' operator: Failed to resolve scalar expression named 'userPrincipalName'. Commenting the set query_now solves the project problem (not my problem though). I tried to set the time before and after watchlist import but that does not solve the issue. I could not find any posts around the topic (quite a specific one), so anyone observed similar behaviors or has a possible explanation? I can probably work around the set query_now with other functions but I gotten used to it, and find this behavior extremely strange3.8KViews0likes3CommentsHow can I detect someone enabling Forensic Evidence Capturing?
Someone recently drew my attention to Microsoft Purview's Forensic Evidence Capturing feature under insider risk management-- powerful stuff! But also a feature I would only want to see turned on if duly authorized. How can I detect someone enabling this in Microsoft Sentinel? I tried enabling/disabling it but do not see any events referencing "forensic evidence" generated anywhere.715Views0likes0CommentsHow to export list of all connectors
Hi, I'm trying to export all the connectors (both connected and not) for review. I've experimented with the Powershell module, az.securityinsights, which does give me the command get-AzSentinelDataConnector. However this only produces the following:- AzureSecurityCenter AzureActiveDirectory AzureAdvancedThreatProtection MicrosoftCloudAppSecurity MicrosoftDefenderAdvancedThreatProtection Office365 ThreatIntelligence yet there are 125 in total. What might I be doing wrong ? Thanks, JamieSolved5KViews0likes4CommentsManage Microsoft 365 Defender Alerts in Azure Sentinel
We're trying to find a way to manage the 'out of the box' alerts that come with Defender 365 about 95% of which are FP. Is there a way to build some sort of dashboard in Sentinel with alerts? I don't mean incidents, we aren't there yet, I just mean alerts? Preferably, with enough information about the alert that the analyst can make a quick decision and move on... Thanks!!1.6KViews0likes2Comments