Skip to content

AZURE SENTINEL DATA CONNECTORS

Home
General
Microsoft Azure
AZURE SENTINEL DATA CONNECTORS

AZURE SENTINEL DATA CONNECTORS

We had the chance to talk a bit about the Microsoft Azure Sentinel in our previous article. We tried to answer a lot of questions like “What is Azure Sentinel? How does it work? What are the costs? ” In this article, we will talk about the data connector methods and which data connector method we should use. These methods are Integration from Service to Service, API Integration and Agent Integration. I will explain which integration should be used for which products shortly.

Data Connectors Methods

Integration from Service to Service

  • Amazon Web Services – CloudTrail
  • Office 365
  • Azure AD audit logs and sign-ins
  • Azure Activity
  • Azure AD Identity Protection
  • Azure Security Center
  • Azure Information Protection
  • Azure Advanced Threat Protection
  • Cloud App Security
  • Windows security events
  • Windows firewall

Integration with API

  • Barracuda
  • Symantec
  • Citrix Analytics (Security)

Integration with Agent

  • Firewalls, Proxy and Endpoints:
    • F5
    • Check Point
    • Cisco ASA
    • Fortinet
    • Palo Alto
    • Other CEF products
    • Other Syslog products
    • Barracuda CloudGen Firewall
    • ExtraHop Reveal(x)
    • One Identity Safeguard
    • Trend Micro Deep Security
  • DLP Solutions
  • DNS Servers
  • Linux Servers
  • Other Cloud Services

Things to Do for Sentinel Data Connector

Like we have mentioned above, there are 3 methods to connect data. Let’s take a look at how these methods work:

It will be enough to enter username and password on Data Connectors for Integration from Service to Service. But keep in mind that the Account should have at least Security Administrator authority since we will log into Microsoft products. For AWS, the process is a bit different but we still need just one Account. As a different step, it will be enough for us to create a user on IAM and assign the “AWSCloudTrailReadOnlyAccess” role. Also, I need to mention that you need at least the AADP1 licence for Azure AD Identity Protection.

We need to execute some actions on the product from which we’ll get the link for integration with API. These actions vary from one product to another. For example, we need to execute different actions for Barracuda and Symantec. Since each one of these actions are a topic of an article, you can find the technical documents below.

Barracuda API Integration

Symantec API Integration

Citrix Analytics API Integration

We need a Connector service for integration with Agent as a different step from the other methods. The role of this server is to provide the connection between the Product and Sentinel. Different from the other methods, integration with Agent requires a comprehensive and extensive work.

I hope that this helped you.

Click here to read our article about Raspberry PI HotSpot/Modem.

PEAKUP TAKES THE STAGE AT MICROSOFT INSPIRE 2019

We Won the ‘Adoption and Change Management Advanced Specialization’ Status!

We Won the ‘Teamwork Deployment Advanced Specialization’ Status!