Incoming feed - Microsoft Sentinel Alerts Feed

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.


Specifications

Transport types

Microsoft Sentinel Alerts Feed

Content type

Microsoft Sentinel Alerts JSON

Endpoint(s)

https://api.loganalytics.io/v1/

Ingested data

Ingests alerts from a given Microsoft Azure Log Analytics workspace.

For more information, see How the feed works.

Processed data

See Data mapping.

Requirements

  • Your Microsoft Azure tenant ID.

  • A Microsoft Azure user to set up the service application. This use should have one of these roles:

    • Global Administrator

    • Application Administrator

    • Cloud Application Administrator

  • A service application.

    This provides you with a client_id and client_secret that this incoming feed uses to set up OAuth2 authentication with Microsoft Azure.

    See Set up service application on Azure.

Set up service application on Azure

Before setting up an incoming feed with the Microsoft Sentinel Alerts Feed transport type, you must:

  1. Register a service application in Azure.

    The incoming feed connects to your Azure Log Analytics workspace using this service application.

  2. Obtain client_id and client_secret from your new service application.

    You need the client_id and client_secret to Configure the incoming feed.

  3. Assign Read Log Analytics data as user permissions to your service application.

  4. Link your service application to your Azure Log Analytics workspace.

  5. (Optional) Assign user or group to service application.

These steps are documented in the Azure Log Analytics REST API documentation.

Once done, Configure the incoming feed.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Microsoft Sentinel Alerts Feed from the drop-down menu.

    Content type*

    Select Microsoft Sentinel Alerts JSON from the drop-down menu.

    API URL*

    By default, this is set to https://api.loganalytics.io/v1/.

    Client ID*

    Enter the client_id for your service application.

    For more information, see Set up service application on Azure.

    Client secret*

    Enter the client_secret for your service application.

    For more information, see Set up service application on Azure.

    Tenant ID*

    Enter the tenant ID of the tenant that your Azure Log Analytics workspace is located on.

    Workspace ID*

    Set this to your Azure Log Analytics workspace ID.

    Start ingesting from*

    Ingest alerts generated from this date onward.

    For more information, see How the feed works.

    Filter operator

    (Optional) Select an operator from the list to apply to the value set in Filter value.

    Must be set when a value is entered for Filter value.

    For more information, see Filter operator and Filter value.

    Filter value

    (Optional) Enter a value to be used in combination with the Filter operator to filter alerts.

    Must be set when a value is selected for Filter operator.

    Values entered here are case-sensitive.

    For more information, see Filter operator and Filter value.

    Custom filter

    (Optional) You can enter additional KQL queries here. Can be set without entering values for Filter operator and Filter value

    For more information, see Custom filter.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL certificates

To use an SSL certificate with the platform, it must be:

  • Accessible on the EclecticIQ Platform host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

  1. Upload the SSL certificate to a location on the platform host.

  2. On the platform host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.

How the feed works

The Microsoft Sentinel Alerts Feed ingests security alerts from your Azure Log Analytics workspace.

By default, it runs this KQL query:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)

to find and ingest all alerts generated in the given workspace after the date and time set in Start ingesting from.

Filter operator and Filter value

Adding a Filter operator and Filter value sets the feed to only retrieve alerts that matches the combination of the two fields, and sends the following query to Azure Log Analytics:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)
| where AlertName <Filter operator> <Filter value>

Both fields must be set for the generated query to be valid.

For example, setting these values:

Filter operator

Contains

Filter value

APT42

retrieves alerts that have ‘APT42’ in their names with a KQL query that looks like this:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)
| where AlertName contains 'APT42'

The Filter operator options are KQL string operators, with these possible values:

Filter operator

KQL/Description

Equals

  • ==

  • Filter value matches the alert name exactly.

Not equals

  • !=

  • Excludes alerts that match the Filter value exactly.

Contains

  • contains

  • Filter value matches part of, or exactly, the alert name.

Doesn’t contain

  • !contains

  • Excludes alerts that match part of, or exactly, the Filter value.

Starts with

  • startswith

  • Filter value matches the start of the alert name.

Ends with

  • endswith

  • Filter value matches the end of the alert name.

Equals to one of the comma separated elements

  • in

  • Allows you to enter a list of values in Filter value. This sets the feed to only retrieve alerts with names that match any one of these values exactly.

    Each item in the list of values entered must be encased in inverted commas.

    For example, selecting this Filter operator and entering the following Filter value:

    "123", "345", "abc", "Cab"

    matches alerts with names:

    • 123

    • 345

    • abc

    • Cab

Custom filter

Setting the Custom filter field allows you to add your own KQL queries to the incoming feed.

For example, entering the following in the Custom filter field:

where AlertName equals 'example'

Retrieves alerts with names that match ‘example’ exactly, with a KQL query that looks like this:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)
| where AlertName equals 'example'

Omit the leading pipe (|) character when setting the Custom filter. For example:

Do

Don’t

where AlertName equals ‘example’

| where AlertName equals ‘example’

When used in combination with Filter operator and Filter values fields, the resulting KQL query will look like this:

SecurityAlert
| where TimeGenerated > todatetime(<Start ingesting from>)
| where AlertName <Filter operator> <Filter value>
| <Custom filter>

Data mapping

The feed ingests alerts from the given Azure Log Analytics workspace as sightings on the platform.

The following table shows how alerts are mapped to sightings. For more information about the Azure Log Analytics schema, see Azure Security alerts schemas documentation.

Map Alerts to Sightings

Sighting field name

Mapped from Azure Log Analytics schema

Example value

Description

Title

AlertName

Suspicious process executed [seen multiple times] alert - Sighting created by Microsoft Sentinel

Name of sighting.

Analysis

Description

Machine logs indicate that the suspicious process: ‘c:toolsmimikatzx64mimikatz.exe’ was running on the machine, often associated with attacker attempts to access credentials.

This behavior was seen 24 times today on the following machines:

VICTIM00

Description of sighting.

Confidence

AlertSeverity

High

Confidence of sighting. For more information, see Map AlertSeverity to Sighting confidence

Possible values:

  • Unknown

  • None

  • Low

  • Medium

  • High

Estimated time

  • Various

Various

See Map timestamps.

Tags

  • ProductName

  • VendorName

  • Microsoft

  • Azure Security Center

Tags added to the sighting.

Producer

  • Various

Various

See Map information source.

Map AlertSeverity to Sighting confidence

Azure Log Analytics AlertSeverity value

Sighting confidence value

Informational

None

Low

Low

Medium

Medium

High

High

Map timestamps

Indicator estimated time field

Azure Log Analytics schema

Estimated threat start time

StartTime

Estimated threat end time

EndTime

Estimated observed time

TimeGenerated

Ingested

TimeGenerated

Map information source

Field name

Example value

Identity

Microsoft Sentinel

Roles

Initial Author

References

https://api.loganalytics.io

Map Alert Entities to Observables

This feed ingests entities attached to a given alert as observables extracted from the resulting sighting.

Map Alert entity type to observable type

Azure Log Analytics Entity type

Observable Type

Maps this Azure Log Analytics field name to observable value

filehash

The platform checks the filehash length to assign one of these hash types:

  • hash-sha1

  • hash-256

  • hash-md5

Value

ip

ipv4

Address

url

url

Url

host

host

HostName

account

person

Name

Map AlertSeverity to observable maliciousness

Azure Log Analytics AlertSeverity value

Sighting confidence value

Informational

None

Low

Low

Medium

Medium

High

High