Send Logs from Edge Delta to Microsoft Sentinel

Overview

You can configure Edge Delta agents to prepare log data for downstream processing by Microsoft Sentinel before sending it to Azure. Preparing the telemetry data on the edge for security information and event management (SIEM) ensures uniform data representation for analysis, correlation, and alerting across various types and sources of data.

Pipeline Configuration

To send data to Microsoft Sentinel, configure Azure using instructions on this page. Then configure a pipeline with the Microsoft Sentinel destination node and add the Microsoft Sentinel pack. See the packs library for detailed descriptions of the packs. In addition, you feed the Sentinel pack with a relevant pack for the data source, such as the Edge Delta Pipeline Pack for CEF (Common Event Format). The CEF pack routes and processes CEF logs before passing CEL logs to the Sentinel Pack, which creates the mapping from different security sources. The resulting item has attributes in the shape and form required by Sentinel.

Together, the CEF and Sentinel packs process logs as follows, before passing them to the Sentinel Destination node:

Input

{
  "_type": "log"
  "body": "Dec 16 06:17:49 test-host CEF:1|Vendor234|RUM|v10.678.10-20241010090810|4815|Agent found some errors|9|src=10.0.0.1 dst=2.1.2.2 spt=1232
"
  "resource": { • • • }
  "timestamp": 1734329869682
}

Output

{
  "_type": "log"
  "attributes": {
    "Activity": "Agent found some errors"
    "DestinationIP": "2.1.2.2"
    "DeviceProduct": "RUM"
    "DeviceVendor": "Vendor234"
    "DeviceVersion": "v10.678.10-20241010090810"
    "LogSeverity": "9"
    "OriginalLogSeverity": "9"
    "OriginalTimestamp": 1734329869000
    "SourceIP": "10.0.0.1"
    "SourcePort": 1232
    "type": "CommonSecurityLog"
  }
  "body": "Dec 16 06:17:49 test-host CEF:1|Vendor234|RUM|v10.678.10-20241010090810|4815|Agent found some errors|9|src=10.0.0.1 dst=2.1.2.2 spt=1232
"
  "resource": { • • • }
  "timestamp": 1734329869000
}

Azure Configuration

You need the following objects configured in Azure:

Register Azure Application

Register Edge Delta as an application.

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
2. Select Identity - Applications - App registrations and select New registration.
3. Enter Edge Delta Sentinel Stream as the application display name.
4. Accounts in this organizational directory only is selected by default. Click Register.
5. Copy and save the Application (client) ID and Directory (tenant) ID. The Application (client) ID value is used for the client_id parameter, while the Directory (tenant) ID is used for the tenant_id parameter in the Microsoft Sentinel node.
6. Click Add a certificates or secret.
7. Click New client secret.
8. Enter a description and expiration date and and click Add.
9. Copy and save the secret Value. This secret Value value is used for the client_secret parameter in the Microsoft Sentinel node.

See the official Azure documentation for more details.

Data Collection Endpoint

Create the data collection endpoint in Azure Monitor.

1. Navigate to the Data Collection Endpoints service in Azure.
2. Click Create.
3. Enter Edge-Delta-Stream-Sentinel-Ingestion as the Endpoint name.
4. Specify your organization’s Subscription, Resource Group, and Region.
5. Select Review + create. Then select Create.
6. Open the Edge-Delta-Stream-Sentinel-Ingestion endpoint when it appears.
7. Copy and save the Logs Ingestion value. This Logs Ingestion value is used for the data_collection_endpoint parameter in the Microsoft Sentinel node, and it is used later to create the DCR.

See the official Azure documentation for more details.

Data Collection Rule

Create a data collection rule. It defines how data is collected, where it is sent, and the specific transformations applied during ingestion.

First you need the Log Analytics Workspace Resource ID:

1. In the Azure portal, navigate to the Log Analytics workspaces service.
2. Select the workspace that will receive data.
3. Select JSON View on the Overview page.
4. Copy and save the Workspace Resource ID.

Now you can create a DCR using the template:

1. Search for and select Deploy a custom template in the portal.
2. Select Build your own template in the editor.
3. Click Load File and upload the DCR template.
4. Select Save.
5. Specify the Subscription and Resource Group for your organization.
6. Name the rule Edge-Delta-Stream-Ingestion-Rule.
7. Enter the Workspace Resource ID and the Logs Ingestion value you saved earlier.
8. Select Review + create then click Create.

See the official Azure documentation for more details.

Configure IAM

Assign rule permissions for the Edge Delta Sentinel Stream app:

1. In the Azure portal, navigate to the Data collection rules service.
2. Click Edge-Delta-Stream-Ingestion-Rule (the rule you created in a previous step).
3. Click JSON View.
4. Copy and save the immutableId value without the quotation marks. This immutableId value is used for the data_collection_rule_id parameter in the Microsoft Sentinel node.
5. Copy and save the first key name without the quotation marks from streamDeclarations, for example Custom-CommonSecurityLog in the following snippet:

        ...
        "properties": {
            "immuteableId": "123456789"
            "dataCollectionEndpointId": "/subsriptions/123456789/resour...",
            "streamDeclarations": {
                "Custom-CommonSecurityLog": {
                    "columns": [{
                      {...

This value is used for the stream_name parameter in the Microsoft Sentinel node.

6. Close the JSON view and click Access control (IAM).
7. Click Add role assignment.
8. Click the Monitoring Metrics Publisher role.
9. Click Next
10. Click Select members.
11. Search for and select Edge Delta Sentinel Stream (the application name you registered earlier) and click Select.
12. Click Review + assign.
13. Click Review + assign to confirm.