By Preeti_Krishna and Azure Sentinel News
Last month, Microsoft announced over 30 new out-of-the-box data connectors for Azure Sentinel to enable data collection for leading security products and other clouds. With these new connectors, Microsft confirmed they are continuing the momentum to enable customers to easily bring data from different products into Azure Sentinel and analyze data at cloud scale.
These data connectors include a parser that transforms the ingested data into Azure Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Azure Sentinel. New workbooks and analytic rule templates, leveraging these parsers, are also available to help you monitor these new data sources and detect threats immediately. Refer to the documentation for a complete list of data connectors that you can leverage in Azure Sentinel.
Four new data connectors for Cisco enable you to ingest Cisco Umbrella, Cisco Meraki, Cisco Firepower and Cisco UCS logs respectively. Use the new workbooks for these data sources to monitor your DNS, IP, Proxy, and Cloud Firewall logs from these products, as illustrated below. You can directly ingest Cisco Umbrella logs from AWS S3 buckets using the new Cisco Umbrella data connector. Both Cisco Umbrella and Cisco Meraki, now in Public Preview, have been among the top requested data connectors in the Azure Sentinel User Voice forum. Please continue to voice your feedback!
NXLog brings Azure Sentinel support for both the NXLog Linux Audit System and Windows Event Tracing modules with two new data connectors that deliver Linux audit and Windows DNS Server events, respectively. These connectors enable the delivery of audit and analytical DNS server events Linux security events to Azure Sentinel in real-time.
The Salesforce Cloud data connector enables operational events to be ingested in Azure Sentinel. These events are from 38 logs that includes audit, files, search, and more. This data connector has a parser that enables you to correlate Salesforce logs with other logs easily in Azure Sentinel to build integrated experiences.
The Akamai data connector provides the capability to ingest security events generated by Akamai platform into Azure Sentinel. Use the parser for Akamai to build and correlate Akamai logs with other logs to enable rich alerting and investigation experiences.
Two new data connectors for Trend Micro enable you to ingest Trend Micro TippingPoint SMS IPS events and Trend Micro XDR workbench alerts, respectively. The XDR connector comes with a workbook to help with insights into alert trends and impacted hosts. The XDR connector also includes two analytic rule templates to create incidents for XDR alerts depending on severity.
Proofpoint On Demand (POD) data connector provides the capability to get Proofpoint On Demand email protection data. This data enables you to check message traceability, monitor email activity, threats, and data exfiltration by attackers and malicious insiders. Both mail and message logs are ingested by this data connector. Furthermore, the parser enables you to easily correlate email logs with other security logs for enhanced incident tracking and automated response scenarios.
Google Workspace / G-Suite
The Google Workspace data connector enables ingestion of Google Workspace Activity events into Azure Sentinel. This includes logs for admin activity, Google drive usage, login, mobile, authorization tokens, user workspace accounts and calendar usage reports. Use the parser to correlate this data with other logs to examine potential security risks, diagnose configuration problems, track who signs in and when, analyze administrator activity, understand how users create and share content, and more.
Sophos Cloud Optix
The Sophos Cloud Optix data connector allows you to easily connect Sophos Cloud Optix logs of your choice with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s cloud security and compliance posture and improves your cloud security operation capabilities.
The VMWare ESXi data connector enables you to ingest VMWare vSphere system logs in Azure Sentinel. This gives you more insight into your organization’s ESXi servers and improves your security operation capabilities. Use the parser to correlate ESXi data with other data in Azure Sentinel.
Juniper SRX data connector enables ingestion of network traffic logs in Azure Sentinel. Use the parser to build rich monitoring workbooks and alerting in Azure Sentinel.
The SonicWall data connector enables you to ingest SonicWall Firewall logs from your virtual or on-prem firewalls. This data connector captures log activity and includes every connection source and destination name and/or IP address, IP service, and number of bytes transferred. This connector comes with some sample queries to help you navigate through your data and inform creation of further Azure Sentinel analytics, workbooks and workflows.
The ESET data connector ingests ESET Inspector detections in Azure Sentinel. This includes aggregated detections for suspicious activities, which can enrich your Azure Sentinel incident management and investigation outcomes.
Imperva WAF Gateway
The Imperva WAF Gateway data connector enables you to ingest Imperva WAF Gateway security alerts with a high degree of log customization. This provides you additional insight into your organization’s WAF traffic and improves your security operation capabilities. This connector comes with some sample queries to help you navigate through your data and inform creation of further Azure Sentinel analytics, workbooks and workflows.
Broadcom Symantec DLP data connector enables ingestion of Data Loss Prevention (DLP) logs in Azure Sentinel to provide insight into your organization’s information. Use the parser to correlate with other data in Azure Sentinel for improved security operations.
WireX Systems brings WireX Network Forensics Platform data events to Azure Sentinel via a new data connector enabling correlation of contextual content offered by WireX with other Azure Sentinel resident data from other sources. Delivered events include DNS, HTTP(s) and WireX Threat Detection System.
The Aruba ClearPass data connector helps with ingestion of network security logs that includes audit, session, system and insight logs into Azure Sentinel. The parser for this data connector can enable you to correlate Aruba data with other data sources in Azure Sentinel.
The Onapsis data connector allows you to export alarms triggered in the Onapsis Platform into Azure Sentinel in real-time. This gives you the ability to monitor activity on your SAP systems, identify incidents, and respond to them quickly. Use the new workbook for the Onapsis data connector to visualize important information about your Onapsis alarms and view your incidents report.
The Netskope data connector helps ingest Netskope Cloud security events and logs into Azure Sentinel. Use the parser to seamlessly work with other logs in Azure Sentinel for improved monitoring and investigation capabilities.
The Squid Proxy data connector enables getting logs from Squid Proxy server into Azure Sentinel. This is using the Azure Log Analytics agent to configure the custom directory from which logs need to be collected from on the device. This data connector also has a parser to enable better correlation across other logs in Azure Sentinel.
The Blackberry CylancePROTECT data connector enables ingestion of CylancePROTECT logs into Azure Sentinel. This includes audit logs, threats, application control logs, device logs, memory protection logs and threat classification logs. This data connector has a parser for correlating these logs with other data in Azure Sentinel for enriched hunting, incident management and investigation experience.
Apache HTTP Server
The Apache data connector enables you to ingest Apache HTTP Server access logs in Azure Sentinel. This is using the Azure Log Analytics agent to configure the custom directory from which logs need to be collected from on the device. This data connector also has a parser to enable better correlation of the server events across other logs in Azure Sentinel.
The new Alsid for Active Directory data connector allows you to export Alsid indicators of exposures, trail flow and indicators of attacks logs to Azure Sentinel in real-time. The data connector has a parser to manipulate the logs more easily. The various sample queries with this connector ease Active Directory monitoring and provide different ways to query and visualize the data. The analytic templates provide automated responses for different events, exposures, or attacks.
The Better Mobile data connector enables you to connect your Better Mobile Threat Defense instances to Azure Sentinel for enhanced monitoring and management of security logs. This connector comes with some sample queries to help you navigate through your data and inform creation of further Azure Sentinel analytics, workbooks and workflows.
Thycotic’s new Secret Server privileged access management data connector and workbook brings Thycotic Secrets audit log data to Azure Sentinel to inform investigations and hunting. The log data includes user and action activity for secrets managed in the Thycotic vault.
The new Agari data connector enables you to ingest Agari security logs from the Phishing Defense and Brand Protection endpoints. This connector comes with some sample queries to help you navigate through your data and inform creation of further Azure Sentinel analytics, workbooks and workflows. In addition, brand Protection and phishing response customers can take advantage of Threat Intelligence sharing via the Microsoft Graph Security API.
The Qualys Vulnerability Management (VM) KnowledgeBase (KB) connector provides the capability to ingest the latest vulnerability data from Qualys KB into Azure Sentinel. This data can be used to correlate and enrich vulnerability detections found by the Qualys Vulnerability Management (VM) data connector. Use the parser to build rich workbooks for monitoring.
These data collection improvements are just one of several exciting announcements we’ve made for Microsoft Ignite. Learn more about other new Azure Sentinel innovations in our announcements blog.
We also invite you to join the community to contribute your own new connectors, workbooks, analytics and more. Get started now by joining the Azure Sentinel Threat Hunters GitHub community and follow the guidance.