Microsoft Sentinel Setup Guide
Create an Application
Log into the Azure portal. Use the search bar to search for "App Registrations" and navigate there. Create a new App by selecting "+ New registration".
Once you have entered a name for the App, click "Register". This will create the application and generate an "Application (client) ID" and "Directory (tenant) ID". Save these values because you will need them later.
You now need to create an OAuth credential for the App. Under the "Manage" menu, select "Certificates & secrets". Under the "Client secrets" tab, select "+ New client secret". Enter a description and choose an expiration duration, then select the "Add" button.
After creating the secret, save the secret "Value". This is the OAuth token secret and you will need this later.
Configure Sentinel
Now that you have an application and credentials for it, you will need to configure Sentinel to receive events.
The first step is to enable Sentinel for a workspace. Search for "Microsoft Sentinel" and go to the Sentinel service. From here, you will either need to select a workspace to add Sentinel to or create a new workspace.
Next search for "Log Analytics workspaces". On this page, select the workspace you just added Sentinel to. When you navigate to "Settings" > "Tables", you should see a table named "CommonSecurityLog". This is the table Synqly will write to.
In the Logs Analytics workspace view, open the “JSON View” of this workspace. Save the "Resource ID".
This Resource ID will be used when create a Data Collection Rule below.
Create a Data Collection Endpoint
Now that Sentinel is setup, we need a Data Collection Endpoint (DCE) to send events to and a Data Collection Rule (DCR) that transfers the events into Sentinel.
Search for "Monitor" and open the Monitor service.
Expand the "Settings" section and navigate to "Data Collection Endpoints".
From here, create a new Data Collection Endpoint by selecting "+ Create". Be sure to select the same region as the Logs Analytics workspace used earlier.
Click "Review + create" and then "Create". Once the Data Collection Endpoint is created, open it in the list view. From here, save the "Logs ingestion" URL. You will need this later so we know where to send events to.
Additionally, under JSON View, save the "Resource ID" again. This will be used in the next step for the Data Collection Rule.
Create a Data Collection Rule
We now need a Data Collection Rule (DCR) that creates a pipeline from the new Data Collection Endpoint to the CommonSecurityLog table in Sentinel.
In the Azure search bar, search for "Deploy a custom template". In the Custom deployment service, select "Build your own template in the editor". You will need to copy and paste the template below into the editor.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"dataCollectionRuleName": {
"type": "string",
"metadata": {
"description": "Specifies the name of the Data Collection Rule to create."
}
},
"location": {
"defaultValue": "[resourceGroup().location]",
"type": "string",
"metadata": {
"description": "Specifies the location in which to create the Data Collection Rule."
}
},
"workspaceResourceId": {
"type": "string",
"metadata": {
"description": "Specifies the Azure resource ID of the Log Analytics workspace to use."
}
},
"endpointResourceId": {
"type": "string",
"metadata": {
"description": "Specifies the Azure resource ID of the Data Collection Endpoint to use."
}
}
},
"resources": [
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-09-01-preview",
"name": "[parameters('dataCollectionRuleName')]",
"location": "[parameters('location')]",
"properties": {
"dataCollectionEndpointId": "[parameters('endpointResourceId')]",
"streamDeclarations": {
"Custom-CommonSecurityLog": {
"columns": [
{
"name": "Activity",
"type": "string"
},
{
"name": "AdditionalExtensions",
"type": "string"
},
{
"name": "ApplicationProtocol",
"type": "string"
},
{
"name": "CommunicationDirection",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "DestinationDnsDomain",
"type": "string"
},
{
"name": "DestinationHostName",
"type": "string"
},
{
"name": "DestinationIP",
"type": "string"
},
{
"name": "DestinationMACAddress",
"type": "string"
},
{
"name": "DestinationNTDomain",
"type": "string"
},
{
"name": "DestinationPort",
"type": "int"
},
{
"name": "DestinationProcessId",
"type": "int"
},
{
"name": "DestinationProcessName",
"type": "string"
},
{
"name": "DestinationServiceName",
"type": "string"
},
{
"name": "DestinationTranslatedAddress",
"type": "string"
},
{
"name": "DestinationTranslatedPort",
"type": "int"
},
{
"name": "DestinationUserID",
"type": "string"
},
{
"name": "DestinationUserName",
"type": "string"
},
{
"name": "DestinationUserPrivileges",
"type": "string"
},
{
"name": "DeviceAction",
"type": "string"
},
{
"name": "DeviceAddress",
"type": "string"
},
{
"name": "DeviceCustomDate1",
"type": "string"
},
{
"name": "DeviceCustomDate1Label",
"type": "string"
},
{
"name": "DeviceCustomDate2",
"type": "string"
},
{
"name": "DeviceCustomDate2Label",
"type": "string"
},
{
"name": "DeviceCustomFloatingPoint1",
"type": "real"
},
{
"name": "DeviceCustomFloatingPoint1Label",
"type": "string"
},
{
"name": "DeviceCustomFloatingPoint2",
"type": "real"
},
{
"name": "DeviceCustomFloatingPoint2Label",
"type": "string"
},
{
"name": "DeviceCustomFloatingPoint3",
"type": "real"
},
{
"name": "DeviceCustomFloatingPoint3Label",
"type": "string"
},
{
"name": "DeviceCustomFloatingPoint4",
"type": "real"
},
{
"name": "DeviceCustomFloatingPoint4Label",
"type": "string"
},
{
"name": "DeviceCustomIPv6Address1",
"type": "string"
},
{
"name": "DeviceCustomIPv6Address1Label",
"type": "string"
},
{
"name": "DeviceCustomIPv6Address2",
"type": "string"
},
{
"name": "DeviceCustomIPv6Address2Label",
"type": "string"
},
{
"name": "DeviceCustomIPv6Address3",
"type": "string"
},
{
"name": "DeviceCustomIPv6Address3Label",
"type": "string"
},
{
"name": "DeviceCustomIPv6Address4",
"type": "string"
},
{
"name": "DeviceCustomIPv6Address4Label",
"type": "string"
},
{
"name": "DeviceCustomNumber1",
"type": "int"
},
{
"name": "DeviceCustomNumber1Label",
"type": "string"
},
{
"name": "DeviceCustomNumber2",
"type": "int"
},
{
"name": "DeviceCustomNumber2Label",
"type": "string"
},
{
"name": "DeviceCustomNumber3",
"type": "int"
},
{
"name": "DeviceCustomNumber3Label",
"type": "string"
},
{
"name": "DeviceCustomString1",
"type": "string"
},
{
"name": "DeviceCustomString1Label",
"type": "string"
},
{
"name": "DeviceCustomString2",
"type": "string"
},
{
"name": "DeviceCustomString2Label",
"type": "string"
},
{
"name": "DeviceCustomString3",
"type": "string"
},
{
"name": "DeviceCustomString3Label",
"type": "string"
},
{
"name": "DeviceCustomString4",
"type": "string"
},
{
"name": "DeviceCustomString4Label",
"type": "string"
},
{
"name": "DeviceCustomString5",
"type": "string"
},
{
"name": "DeviceCustomString5Label",
"type": "string"
},
{
"name": "DeviceCustomString6",
"type": "string"
},
{
"name": "DeviceCustomString6Label",
"type": "string"
},
{
"name": "DeviceDnsDomain",
"type": "string"
},
{
"name": "DeviceEventCategory",
"type": "string"
},
{
"name": "DeviceEventClassID",
"type": "string"
},
{
"name": "DeviceExternalID",
"type": "string"
},
{
"name": "DeviceFacility",
"type": "string"
},
{
"name": "DeviceInboundInterface",
"type": "string"
},
{
"name": "DeviceMacAddress",
"type": "string"
},
{
"name": "DeviceName",
"type": "string"
},
{
"name": "DeviceNtDomain",
"type": "string"
},
{
"name": "DeviceOutboundInterface",
"type": "string"
},
{
"name": "DevicePayloadId",
"type": "string"
},
{
"name": "DeviceProduct",
"type": "string"
},
{
"name": "DeviceTimeZone",
"type": "string"
},
{
"name": "DeviceTranslatedAddress",
"type": "string"
},
{
"name": "DeviceVendor",
"type": "string"
},
{
"name": "DeviceVersion",
"type": "string"
},
{
"name": "EndTime",
"type": "datetime"
},
{
"name": "EventCount",
"type": "int"
},
{
"name": "EventOutcome",
"type": "string"
},
{
"name": "EventType",
"type": "int"
},
{
"name": "ExternalID",
"type": "int"
},
{
"name": "ExtID",
"type": "string"
},
{
"name": "FieldDeviceCustomNumber1",
"type": "long"
},
{
"name": "FieldDeviceCustomNumber2",
"type": "long"
},
{
"name": "FieldDeviceCustomNumber3",
"type": "long"
},
{
"name": "FileCreateTime",
"type": "string"
},
{
"name": "FileHash",
"type": "string"
},
{
"name": "FileID",
"type": "string"
},
{
"name": "FileModificationTime",
"type": "string"
},
{
"name": "FileName",
"type": "string"
},
{
"name": "FilePath",
"type": "string"
},
{
"name": "FilePermission",
"type": "string"
},
{
"name": "FileSize",
"type": "int"
},
{
"name": "FileType",
"type": "string"
},
{
"name": "FlexDate1",
"type": "string"
},
{
"name": "FlexDate1Label",
"type": "string"
},
{
"name": "FlexNumber1",
"type": "int"
},
{
"name": "FlexNumber1Label",
"type": "string"
},
{
"name": "FlexNumber2",
"type": "int"
},
{
"name": "FlexNumber2Label",
"type": "string"
},
{
"name": "FlexString1",
"type": "string"
},
{
"name": "FlexString1Label",
"type": "string"
},
{
"name": "FlexString2",
"type": "string"
},
{
"name": "FlexString2Label",
"type": "string"
},
{
"name": "IndicatorThreatType",
"type": "string"
},
{
"name": "LogSeverity",
"type": "string"
},
{
"name": "MaliciousIP",
"type": "string"
},
{
"name": "MaliciousIPCountry",
"type": "string"
},
{
"name": "MaliciousIPLatitude",
"type": "real"
},
{
"name": "MaliciousIPLongitude",
"type": "real"
},
{
"name": "Message",
"type": "string"
},
{
"name": "OldFileCreateTime",
"type": "string"
},
{
"name": "OldFileHash",
"type": "string"
},
{
"name": "OldFileID",
"type": "string"
},
{
"name": "OldFileModificationTime",
"type": "string"
},
{
"name": "OldFileName",
"type": "string"
},
{
"name": "OldFilePath",
"type": "string"
},
{
"name": "OldFilePermission",
"type": "string"
},
{
"name": "OldFileSize",
"type": "int"
},
{
"name": "OldFileType",
"type": "string"
},
{
"name": "OriginalLogSeverity",
"type": "string"
},
{
"name": "ProcessID",
"type": "int"
},
{
"name": "ProcessName",
"type": "string"
},
{
"name": "Protocol",
"type": "string"
},
{
"name": "Reason",
"type": "string"
},
{
"name": "ReceiptTime",
"type": "string"
},
{
"name": "ReceivedBytes",
"type": "long"
},
{
"name": "RemoteIP",
"type": "string"
},
{
"name": "RemotePort",
"type": "string"
},
{
"name": "ReportReferenceLink",
"type": "string"
},
{
"name": "RequestClientApplication",
"type": "string"
},
{
"name": "RequestContext",
"type": "string"
},
{
"name": "RequestCookies",
"type": "string"
},
{
"name": "RequestMethod",
"type": "string"
},
{
"name": "RequestURL",
"type": "string"
},
{
"name": "SentBytes",
"type": "long"
},
{
"name": "SimplifiedDeviceAction",
"type": "string"
},
{
"name": "SourceDnsDomain",
"type": "string"
},
{
"name": "SourceHostName",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourceMACAddress",
"type": "string"
},
{
"name": "SourceNTDomain",
"type": "string"
},
{
"name": "SourcePort",
"type": "int"
},
{
"name": "SourceProcessId",
"type": "int"
},
{
"name": "SourceProcessName",
"type": "string"
},
{
"name": "SourceServiceName",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "SourceTranslatedAddress",
"type": "string"
},
{
"name": "SourceTranslatedPort",
"type": "int"
},
{
"name": "SourceUserID",
"type": "string"
},
{
"name": "SourceUserName",
"type": "string"
},
{
"name": "SourceUserPrivileges",
"type": "string"
},
{
"name": "StartTime",
"type": "datetime"
},
{
"name": "ThreatConfidence",
"type": "string"
},
{
"name": "ThreatDescription",
"type": "string"
},
{
"name": "ThreatSeverity",
"type": "int"
},
{
"name": "TimeGenerated",
"type": "datetime"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[parameters('workspaceResourceId')]",
"name": "logAnalyticsWorkspace"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-CommonSecurityLog"
],
"destinations": [
"logAnalyticsWorkspace"
],
"transformKql": "source",
"outputStream": "Microsoft-CommonSecurityLog"
}
]
}
}
],
"outputs": {
"dataCollectionRuleId": {
"type": "string",
"value": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]"
}
}
}Click "Save" at the bottom of the page.
Enter a name for "Data Collection Rule Name" and enter the Workspace Resource ID and Endpoint Resource ID created previously.
Click "Review + create" and then "Create." After the deployment has completed, open the Data Collection Rule by selecting "Go to resource".
Select "JSON View" and save the "immutableID". This will be used when configuring the integration.
Grant the App Access to the Data Collection Rule
Finally, we need to add rights for the App we created in Step 1 to write to the new Data Collection Rule. With the Data Collection Rule still open, select "Access Control (IAM)" and then select "+ Add" and "Add role assignment".
On the next screen, search for "Monitoring Metrics Publisher". Select this role and click on "Next".
Click on "+ Select members" and add the Application created in the first step. Finish by selecting "Select", then "Review + assign".
Configuring Synqly
You can now add an integration to Synqly to send OCSF Detection Finding events to the Sentinel CommonSecurityLog. You will need the following provider config in conjunction with Create Integration API.
mgmt.NewProviderConfigFromSinkAzureMonitorLogs(&mgmt.SinkAzureMonitorLogs{
Url: "dcr-url",
Credential: mgmt.NewAzureMonitorLogsCredentialFromToken(
&mgmt.TokenCredential{Secret: "oauth-secret"},
),
ClientId: "app-client-id",
TenantId: "app-tenant-id",
RuleId: "dcr-id",
StreamName: "Custom-CommonSecurityLog",
})