Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Built on the foundation of Azure Logic Apps, Azure Sentinel’s automation and orchestration solution provides a highly-extensible architecture that enables scalable automation as new technologies and threats emerge.
At Loginsoft, our engineers have built custom connector using Common Event Format (CEF) to connect Data source. Azure Sentinel currently supports only Custom Entities fields IP, HOST, ACCOUNT and URL. If you are looking for additional Entities, Microsoft Azure is working to enhance this support and may be available down the line.
The very first step is to enable Azure Sentinel and connect to Data Source. Microsoft provides One Month free trial Subscription and you can connect to Data Source for deep investigation of security threats. Our engineers have developed the expertise with Azure Sentinel in:
- Developing Re-usable Custom Connector Application that can be used for On-Demand Enrichment in Azure Sentinel’s Logic Apps (Playbooks), Power Automate (Flows) and Power Apps.
- The Custom Connector application will query the threat intelligence source endpoint based on the entity type (e.g. Domain, IP Address, URL, and Account) selected by the User.
- Developed a Logic app (Playbook), which is triggered automatically, when the Azure Sentinel incident creation rule was met.
- Developed a Logic app (Playbook), which is triggered manually from the incident full details page.
Connector Submission Process
When you are ready with your Custom Connector, you will have to go through Azure Sentinel’s submission process to get Certified. Once your Connector meets Microsoft’s criteria, Connector will be certified and will be available for Users to access. I’m sharing here with the Submission process details:
- Registration by Submitting the online form. Once registered, Microsoft will contact via email and schedule a call to understand the connector which is built and guide through the certification process.
https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR2DcOSp0ibhKolmfRqZYZ51UOEwyM0ZFTU4wS0g4OFdCWUdVUDRaUFQ4RS4u - Microsoft provided guidelines is to be followed to submit the artifacts in ISV Studio along with documentation(user-guide).
- Prepare the Connector Artifacts, need to install a CLI tool and build them, validate them, and zip them.
- Certification and Deployment: Microsoft will validate the connector’s functionality and user documentation, once satisfied Microsoft will stage the connector in the Preview region (United States) for testing. Once the testing is done, Microsoft will deploy the connector across all products and regions.
- This process is expected to take 7 to 10 business days as Microsoft deploys incrementally in their regions around the world.
- Open Sourcing Connector to GitHub repository available to users.
About Loginsoft
For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.
Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.
In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.
Interested to learn more? Let’s start a conversation.
