Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Built on the foundation of Azure Logic Apps, Azure Sentinel’s automation and orchestration solution provides a highly-extensible architecture that enables scalable automation as new technologies and threats emerge.
At Loginsoft, our engineers have built custom connector using Common Event Format (CEF) to connect Data source. Azure Sentinel currently supports only Custom Entities fields IP, HOST, ACCOUNT and URL. If you are looking for additional Entities, Microsoft Azure is working to enhance this support and may be available down the line.
The very first step is to enable Azure Sentinel and connect to Data Source. Microsoft provides One Month free trial Subscription and you can connect to Data Source for deep investigation of security threats. Our engineers have developed the expertise with Azure Sentinel in:
- Developing Re-usable Custom Connector Application that can be used for On-Demand Enrichment in Azure Sentinel’s Logic Apps (Playbooks), Power Automate (Flows) and Power Apps.
- The Custom Connector application will query the threat intelligence source endpoint based on the entity type (e.g. Domain, IP Address, URL, and Account) selected by the User.
- Developed a Logic app (Playbook), which is triggered automatically, when the Azure Sentinel incident creation rule was met.
- Developed a Logic app (Playbook), which is triggered manually from the incident full details page.
Connector Submission Process
When you are ready with your Custom Connector, you will have to go through Azure Sentinel’s submission process to get Certified. Once your Connector meets Microsoft’s criteria, Connector will be certified and will be available for Users to access. I’m sharing here with the Submission process details:
- Registration by Submitting the online form. Once registered, Microsoft will contact via email and schedule a call to understand the connector which is built and guide through the certification process.
https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR2DcOSp0ibhKolmfRqZYZ51UOEwyM0ZFTU4wS0g4OFdCWUdVUDRaUFQ4RS4u - Microsoft provided guidelines is to be followed to submit the artifacts in ISV Studio along with documentation(user-guide).
- Prepare the Connector Artifacts, need to install a CLI tool and build them, validate them, and zip them.
- Certification and Deployment: Microsoft will validate the connector’s functionality and user documentation, once satisfied Microsoft will stage the connector in the Preview region (United States) for testing. Once the testing is done, Microsoft will deploy the connector across all products and regions.
- This process is expected to take 7 to 10 business days as Microsoft deploys incrementally in their regions around the world.
- Open Sourcing Connector to GitHub repository available to users.
