Configuring Azure Sentinel connectors
The Azure Sentinel - Data connectors page shows the total number of connectors, how many are currently connected, and how many are in development. An example of the Data connectors page is shown in the following screenshot:
Figure 3.4 – Azure Sentinel Data connectors page
As you can see in the preceding screenshot, there are currently 32 connectors available to implement in this Azure Sentinel workspace. The list is likely to grow over time as more solutions become natively integrated, which is why you can see the ability to filter the list and search for specific data connectors. By selecting the connector on the left-hand side, we can view the connector details on the right-hand side. For this example, we will use the data connector for AWS, as shown in the following screenshot:
Figure 3.5 – Data connector details
At the top of the page in the preceding screenshot, we can see the status of the connector (Not connected), the provider (Amazon), and the last log received date/timestamp (empty due to a disconnected state).
The next section provides a description and further details about the connector, including a graph that will show the last few days of active log ingestion rate (when connected).
At the bottom of the page, we can see the data types that are included in this connector; in this example, we are expecting to retrieve the AWS CloudTrail logs, when enabled.
Click on the Open connector page button to go to the next screen and start the configuration process, as shown in the following screenshot:
Figure 3.6 – Data connector configuration instructions
Each connector will show a slightly different screen, depending on the type of connector (native, direct, API, or agent) and the steps required to complete the configuration.
In this example, the AWS connector is an API-based connector, and instructions are provided on how to set up the required permissions for Azure Sentinel to access the AWS account via the API. Once completed, you can select the Next steps tab to view the available workbooks and other resources available for this data connector, as shown in the following screenshot:
Figure 3.7 – Data connector configuration instructions
As we can see in the preceding screenshot, the AWS connector has the following two workbooks associated:
- AWS Network Activities
- AWS User Activities
Each of these workbooks is configured based on the information available in the AWS CloudTrail logs. The page also provides example queries you can use to get started with interrogating the logs for your own requirements. Further information about how to use workbooks can be found in Chapter 8, Introducing Workbooks.
Now, when we look at a data connector that has been successfully configured, we can view the same pages and see the differences, as shown in the following screenshot:
Figure 3.8 – Azure AD connector
We can see on the data connector page for Azure AD that this data source is connected and has received logs 4 minutes ago. We can see that 3 workbooks and 2 queries are using this data connector, and a regular flow of data has occurred over the last 3 weeks (December 8 to December 29). By selecting the Open connector page button, we get a view of the details of this connector, as shown in the following screenshot:
Figure 3.9 – Azure AD connector configuration
On the Instructions page, we see checkmarks to indicate the successful configuration of each element, with some padlocks to indicate other aspects that are also required. In the Configuration section, both the Azure Active Directory Sign-in logs and the Azure Active Directory Audit logs are connected. If you click on either of the blue buttons for Disconnect, this will stop the logs from being ingested to Azure Sentinel. Selecting the Next steps tab will show more information about what we can do with this connector, as shown in the following screenshot:
Figure 3.10 – Azure AD-enabled workbooks
On the Next steps page, we can see three recommended workbooks. Two of them have been enabled, shown by the bar on the left-hand side, and one of them is available but not yet enabled.
In this section, we walked through the setup of the data connectors to enable data ingestion. In the next section, we will move on to look at how we manage that data to ensure we retain enough information to be useful, without storing so much that it becomes expensive.