Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/DataConnectors/SentinelOne
История
NikTripathi bcae28764b revert 2022-03-25 16:41:14 +05:30
..
SentinelOneSentinelConnector revert 2022-03-25 16:41:14 +05:30
README.md fixed typos in readme 2022-02-28 16:58:05 +05:30
SentinelOneAPISentinelConn.zip SentinelOne:datafield_grouping 2022-03-25 09:50:31 +02:00
SentinelOne_API_FunctionApp.json SentinelOne: change auth and fix 2021-05-20 10:14:48 +03:00
azuredeploy_Connector_SentinelOneAPI_AzureFunction.json SentinelOne: change auth and fix 2021-05-20 10:14:48 +03:00
host.json adding branch with the enhancements 2022-01-25 12:06:12 +05:30
proxies.json SentinelOne:Connector+parser 2021-03-29 18:14:21 +03:00
requirements.txt SentinelOne:Connector+parser 2021-03-29 18:14:21 +03:00

README.md

SentinelOne Integration for Azure Sentinel

Introduction

This folder contains the Azure function time trigger code for SentinelOne-Azure Sentinel connector. The connector will run periodically and ingest the SentinelOne data into the Azure Sentinel logs custom table SentinelOne_CL.

Folders

  1. SentinelOne/ - This contains the package, requirements, ARM JSON file, connector page template JSON, and other dependencies.
  2. SentinelOneSentinelConnector/ - This contains the Azure function source code along with sample data.

Installing for the users

After the solution is published, we can find the connector in the connector gallery of Azure Sentinel among other connectors in Data connectors section of Sentinel.

i. Go to Azure Sentinel -> Data Connectors

ii. Click on the SentinelOne connector, connector page will open.

iii. Click on the blue Deploy to Azure button.

It will lead to a custom deployment page where after entering accurate credentials and other information, the resources will get created.

The connector should start ingesting the data into the logs in next 10-15 minutes.

Installing for testing

i. Log in to Azure portal using the URL - https://portal.azure.com/?feature.BringYourOwnConnector=true.

ii. Go to Azure Sentinel -> Data Connectors

iii. Click the “import” button at the top and select the json file SentinelOne_API_FunctionApp.JSON downloaded on your local machine from Github.

iv. This will load the connector page and rest of the process will be same as the Installing for users guideline above.

Each invocation and its logs of the function can be seen in Function App service of Azure, available in the Azure Portal outside the Azure Sentinel.

i. Go to Function App and click on the function which you have deployed, identified with the given name at the deployment stage.

ii. Go to Functions -> SentinelOneSentinelConnector -> Monitor

iii. By clicking on invocation time, you can see all the logs for that run.

Note: Furthermore we can check logs in Application Insights of the given function in detail if needed. We can search the logs by operation ID in Transaction search section.