Is Microsoft Azure Sentinel your next Implementation? Learn how Loginsoft integrated Sentinel with data source

Introduction

The blog explains how organizations can strengthen their security monitoring by implementing Microsoft Azure Sentinel, a cloud-native SIEM and SOAR solution. It focuses on Loginsoft’s experience with Microsoft Azure Sentinel integration, demonstrating how data sources can be connected, normalized, and ingested to enable centralized visibility and threat detection. The article highlights practical considerations involved in integrating Sentinel with data sources to support real-time monitoring and effective security operations.

Key Takeaways

• Loginsoft built a custom CEF-based connector for integrating Azure Sentinel with data sources, supporting entities like IP, HOST, ACCOUNT, and URL.
• The connector enables on-demand threat intelligence enrichment in Logic Apps, Power Automate, and Power Apps for entities such as Domain, IP, and URL.
• Two Playbooks were developed: one auto-triggered by incident creation rules and another manually triggered from incident details.
• Connector certification involves Microsoft validation (7-10 days), staging in US preview, global deployment, and open-sourcing on GitHub.

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Built on the foundation of Azure Logic Apps, Azure Sentinel’s automation and orchestration solution provides a highly-extensible architecture that enables scalable automation as new technologies and threats emerge.

At Loginsoft, our engineers have built custom connector using Common Event Format (CEF) to connect Data source. Azure Sentinel currently supports only Custom Entities fields IP, HOST, ACCOUNT and URL. If you are looking for additional Entities, Microsoft Azure is working to enhance this support and may be available down the line.

The very first step is to enable Azure Sentinel and connect to Data Source. Microsoft provides One Month free trial Subscription and you can connect to Data Source for deep investigation of security threats. Our engineers have developed the expertise with Azure Sentinel in:

• Developing Re-usable Custom Connector Application that can be used for On-Demand Enrichment in Azure Sentinel’s Logic Apps (Playbooks), Power Automate (Flows) and Power Apps.
• The Custom Connector application will query the threat intelligence source endpoint based on the entity type (e.g. Domain, IP Address, URL, and Account) selected by the User.
• Developed a Logic app (Playbook), which is triggered automatically, when the Azure Sentinel incident creation rule was met.
• Developed a Logic app (Playbook), which is triggered manually from the incident full details page.

Connector Submission Process

When you are ready with your Custom Connector, you will have to go through Azure Sentinel’s submission process to get Certified. Once your Connector meets Microsoft’s criteria, Connector will be certified and will be available for Users to access. I’m sharing here with the Submission process details:

• Registration by Submitting the online form. Once registered, Microsoft will contact via email and schedule a call to understand the connector which is built and guide through the certification process.
  https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR2DcOSp0ibhKolmfRqZYZ51UOEwyM0ZFTU4wS0g4OFdCWUdVUDRaUFQ4RS4u
• Microsoft provided guidelines is to be followed to submit the artifacts in ISV Studio along with documentation(user-guide).
• Prepare the Connector Artifacts, need to install a CLI tool and build them, validate them, and zip them.
• Certification and Deployment: Microsoft will validate the connector’s functionality and user documentation, once satisfied Microsoft will stage the connector in the Preview region (United States) for testing. Once the testing is done, Microsoft will deploy the connector across all products and regions.
• This process is expected to take 7 to 10 business days as Microsoft deploys incrementally in their regions around the world.
• Open Sourcing Connector to GitHub repository available to users.

Conclusion

The blog demonstrates that successful Microsoft Azure Sentinel integration is key to unlocking the full value of Sentinel as a cloud-native SIEM platform. By properly connecting and normalizing data sources, organizations gain improved visibility, faster threat detection, and more effective response capabilities. Loginsoft’s integration approach helps ensure that Sentinel deployments are aligned with operational needs, enabling security teams to monitor, analyze, and act on threats more efficiently.

FAQ

Q1. What is Microsoft Azure Sentinel?

Microsoft Azure Sentinel is a cloud-native SIEM and SOAR solution that collects, analyzes, and correlates security data from multiple sources.

Q2. Why is Microsoft Azure Sentinel integration important?

Integration ensures that relevant data sources are connected to Sentinel, enabling accurate threat detection and centralized monitoring, and also it unifies security data from your entire digital estate (cloud, on-prem, multi-cloud) into one platform, using AI/ML to intelligently detect, investigate, and automatically respond to threats in real-time

Q3. What types of data sources can be integrated with Sentinel?

Microsoft Services like Azure, M365, and Windows Security Events. Cloud & Third-party services like AWS, Okta. On-premises system logs like Azure Monitor, REST APIs can be integrated into Sentinel.

Q4. How does Loginsoft support Azure Sentinel implementation?

Loginsoft assists with data source integration, configuration, and normalization to ensure effective Sentinel deployment.