Edge Delta Microsoft Sentinel Destination

Send logs to Microsoft Sentinel.

4 minute read

Overview

You can configure Edge Delta agents to prepare log and custom telemetry and send it for downstream processing by Microsoft Sentinel. Preparing the telemetry data for security information and event management (SIEM) ensures uniform data representation for analysis, correlation, and alerting across various types and sources of data.

incoming_data_types: log, custom.

Prerequisites

The Sentinel Destination requires the Microsoft Sentinel pack. See Send Logs to Microsoft Sentinel for more details about using the packs and configuring Azure.

Example Configuration

This configuration sends logs to the Custom-CommonSecurityLog stream on the https://democo.eastus-1.ingest.monitor.azure.com endpoint.

- name: Microsoft Sentinel Destination
  type: azure_sentinel_output
  stream_name: Custom-CommonSecurityLog
  data_collection_endpoint: https://democo.eastus-1.ingest.monitor.azure.com
  data_collection_rule_id: 123-21a4f6c095d54364afa3a52b111432ea
  tenant_id: 12345678-1234-1234-123r-a123b456c789
  client_id: 98765432-4321-3c21-g654-a987b654c321
  client_secret: abcdefghijklmnopqrstuvwxyz12345678910111

Required Parameters

name

A descriptive name for the node. This is the name that will appear in Visual Pipelines and you can reference this node in the YAML using the name. It must be unique across all nodes. It is a YAML list element so it begins with a - and a space followed by the string. It is a required parameter for all nodes.

nodes:
  - name: <node name>
    type: <node type>

type: azure_sentinel_output

The type parameter specifies the type of node being configured. It is specified as a string from a closed list of node types. It is a required parameter.

nodes:
  - name: <node name>
    type: <node type>

stream_name

You use the stream_name parameter to specify the identifier for the incoming data stream within the Log Analytics workspace. It is configured as a string and is required. See how to get the stream_name here.

Note: You must configure one Azure Destination node per stream name.

data_collection_endpoint

You use the data_collection_endpoint parameter to configure Edge Delta with the endpoint exposed by Azure Monitor for ingesting logs (configured earlier). It is specified as a string and is required. See how to get the data_collection_endpoint here.

data_collection_rule_id

You use the data_collection_rule_id to specify the unique identifier for the Data Collection Rule (DCR), which controls ingestion and forwarding to a destination (configured earlier). It is specified as a string and is required. See how to get the data_collection_rule_id here.

tenant_id

You use the tenant_id parameter to specify the GUID for your Azure AD tenant. It is specified as a string and is required. This parameter can be defined in the node configuration but a best practice is to use secrets management with an environment variable, in which case the AZURE_TENANT_ID environment variable takes priority over this value. See how to get the tenant_id here.

client_id

You use the client_id parameter to specify the GUID for the application or service principal registered in Azure AD and authorized to make API calls. It is specified as a string and is required. This parameter can be defined in the node configuration but a best practice is to use secrets management with an environment variable, in which case the AZURE_CLIENT_ID environment variable takes priority over this value. See how to get the client_id here.

client_secret

You use the client_secret parameter to specify the secret associated with your client ID. It is specified as a string and is required. This parameter can be defined in the node configuration but a best practice is to use secrets management with an environment variable, in which case the AZURE_CLIENT_SECRET environment variable takes priority over this value. See how to get the client_secret here.

Optional Parameters

buffer_max_bytesize

The buffer_max_bytesize parameter configures the maximum byte size for total unsuccessful items. If the limit is reached, the remaining items are discarded until the buffer space becomes available. It is specified as a datasize.Size, has a default of 0 indicating no size limit, and it is optional.

buffer_ttl

The buffer_ttl parameter configures the time-to-Live for unsuccessful items, which indicates when to discard them. It is specified as a duration, has a default of 10m, and it is optional.

buffer_path

The buffer_path parameter configures the path to store unsuccessful items. Unsuccessful items are stored there to be retried back (exactly once delivery). It is specified as a string and it is optional.