Incoming feed - Microsoft Sentinel Alerts Feed

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

	Specifications
Transport types	Microsoft Sentinel Alerts Feed
Content type	Microsoft Sentinel Alerts JSON
Endpoint(s)	https://api.loganalytics.io/v1/
Ingested data	Ingests alerts from a given Microsoft Azure Log Analytics workspace. For more information, see How the feed works.
Processed data	See Data mapping.

Requirements

• Your Microsoft Azure tenant ID.

• A Microsoft Azure user to set up the service application. This use should have one of these roles:

  • Global Administrator

  • Application Administrator

  • Cloud Application Administrator

• A service application.

  This provides you with a client_id and client_secret that this incoming feed uses to set up OAuth2 authentication with Microsoft Azure.

  See Set up service application on Azure.

Set up service application on Azure

Before setting up an incoming feed with the Microsoft Sentinel Alerts Feed transport type, you must:

1. Register a service application in Azure.

   The incoming feed connects to your Azure Log Analytics workspace using this service application.

2. Obtain client_id and client_secret from your new service application.

   You need the client_id and client_secret to Configure the incoming feed.

3. Assign Read Log Analytics data as user permissions to your service application.

4. Link your service application to your Azure Log Analytics workspace.

5. (Optional) Assign user or group to service application.

These steps are documented in the Azure Log Analytics REST API documentation.

Once done, Configure the incoming feed.

Configure the incoming feed

1. Create or edit an incoming feed.

2. Under Transport and content, fill out these fields:

   Note

   Required fields are marked with an asterisk (*).

   Field	Description
   Transport type*	Select Microsoft Sentinel Alerts Feed from the drop-down menu.
   Content type*	Select Microsoft Sentinel Alerts JSON from the drop-down menu.
   API URL*	By default, this is set to https://api.loganalytics.io/v1/.
   Client ID*	Enter the client_id for your service application. For more information, see Set up service application on Azure.
   Client secret*	Enter the client_secret for your service application. For more information, see Set up service application on Azure.
   Tenant ID*	Enter the tenant ID of the tenant that your Azure Log Analytics workspace is located on.
   Workspace ID*	Set this to your Azure Log Analytics workspace ID.
   Start ingesting from*	Ingest alerts generated from this date onward. For more information, see How the feed works.
   Filter operator	(Optional) Select an operator from the list to apply to the value set in Filter value. Must be set when a value is entered for Filter value. For more information, see Filter operator and Filter value.
   Filter value	(Optional) Enter a value to be used in combination with the Filter operator to filter alerts. Must be set when a value is selected for Filter operator. Values entered here are case-sensitive. For more information, see Filter operator and Filter value.
   Custom filter	(Optional) You can enter additional KQL queries here. Can be set without entering values for Filter operator and Filter value For more information, see Custom filter.
   SSL verification	Selected by default. Select this option to enable SSL for this feed.
   Path to SSL certificate file.	Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. For more information, see SSL certificates.
   Start ingesting from*	Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

3. Store your changes by selecting Save.

SSL certificates

To use an SSL certificate, it must be:

• Accessible on the EclecticIQ Intelligence Center host.

• Placed in a location that can be accessed by the eclecticiq user.

• Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

2. On the EclecticIQ Intelligence Center host, open the terminal.

3. Change ownership of the SSL certificate by running as root in the terminal:

   chown eclecticiq:eclecticiq /path/to/cert.pem
   

   Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

How the feed works

The Microsoft Sentinel Alerts Feed ingests security alerts from your Azure Log Analytics workspace.

By default, it runs this KQL query:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)

to find and ingest all alerts generated in the given workspace after the date and time set in Start ingesting from.

Filter operator and Filter value

Adding a Filter operator and Filter value sets the feed to only retrieve alerts that matches the combination of the two fields, and sends the following query to Azure Log Analytics:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)
| where AlertName <Filter operator> <Filter value>

Both fields must be set for the generated query to be valid.

For example, setting these values:

Filter operator	Contains
Filter value	APT42

retrieves alerts that have ‘APT42’ in their names with a KQL query that looks like this:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)
| where AlertName contains 'APT42'

The Filter operator options are KQL string operators, with these possible values:

Filter operator	KQL/Description
Equals	== Filter value matches the alert name exactly.
Not equals	!= Excludes alerts that match the Filter value exactly.
Contains	contains Filter value matches part of, or exactly, the alert name.
Doesn’t contain	!contains Excludes alerts that match part of, or exactly, the Filter value.
Starts with	startswith Filter value matches the start of the alert name.
Ends with	endswith Filter value matches the end of the alert name.
Equals to one of the comma separated elements	in Allows you to enter a list of values in Filter value. This sets the feed to only retrieve alerts with names that match any one of these values exactly. Each item in the list of values entered must be encased in inverted commas. For example, selecting this Filter operator and entering the following Filter value: "123", "345", "abc", "Cab" matches alerts with names: 123 345 abc Cab

Custom filter

Setting the Custom filter field allows you to add your own KQL queries to the incoming feed.

For example, entering the following in the Custom filter field:

where AlertName equals 'example'

Retrieves alerts with names that match ‘example’ exactly, with a KQL query that looks like this:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)
| where AlertName equals 'example'

Omit the leading pipe (|) character when setting the Custom filter. For example:

Do	Don’t
where AlertName equals ‘example’	| where AlertName equals ‘example’

When used in combination with Filter operator and Filter values fields, the resulting KQL query will look like this:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)
| where AlertName <Filter operator> <Filter value>
| <Custom filter>

Data mapping

The feed ingests alerts from the given Azure Log Analytics workspace as sightings on the platform.

The following table shows how alerts are mapped to sightings. For more information about the Azure Log Analytics schema, see Azure Security alerts schemas documentation.

Map Alerts to Sightings

Sighting field name	Mapped from Azure Log Analytics schema	Example value	Description
Title	AlertName	Suspicious process executed [seen multiple times] alert - Sighting created by Microsoft Sentinel	Name of sighting.
Analysis	Description	Machine logs indicate that the suspicious process: ‘c:toolsmimikatzx64mimikatz.exe’ was running on the machine, often associated with attacker attempts to access credentials. This behavior was seen 24 times today on the following machines: VICTIM00	Description of sighting.
Confidence	AlertSeverity	High	Confidence of sighting. For more information, see Map AlertSeverity to Sighting confidence Possible values: Unknown None Low Medium High
Estimated time	Various	Various	See Map timestamps.
Tags	ProductName VendorName	Microsoft Azure Security Center	Tags added to the sighting.
Producer	Various	Various	See Map information source.

Map AlertSeverity to Sighting confidence

Azure Log Analytics AlertSeverity value	Sighting confidence value
Informational	None
Low	Low
Medium	Medium
High	High

Map timestamps

Indicator estimated time field	Azure Log Analytics schema
Estimated threat start time	StartTime
Estimated threat end time	EndTime
Estimated observed time	TimeGenerated
Ingested	TimeGenerated

Map information source

Field name	Example value
Identity	Microsoft Sentinel
Roles	Initial Author
References	https://api.loganalytics.io

Map Alert Entities to Observables

This feed ingests entities attached to a given alert as observables extracted from the resulting sighting.

Map Alert entity type to observable type

Azure Log Analytics Entity type	Observable Type	Maps this Azure Log Analytics field name to observable value
filehash	The platform checks the filehash length to assign one of these hash types: hash-sha1 hash-256 hash-md5	Value
ip	ipv4	Address
url	url	Url
host	host	HostName
account	person	Name

Map AlertSeverity to observable maliciousness

Azure Log Analytics AlertSeverity value	Sighting confidence value
Informational	None
Low	Low
Medium	Medium
High	High