Feed events to Microsoft Sentinel

You can feed data to Microsoft Sentinel via Mosaic Data Connector. This plugin will help you keep track of activity by polling Event streaming API.

Step 1: Configure a management app

In your Mosaic tenant, configure a management app. Give the app a suitable name, for example, MyAzureSentinelLogStream.

Note

After saving the management app, open it again and note the Client ID and Client Secret values. You’ll need these parameters to configure the Azure Sentinel Solution.

Step 2: Install the solution

  1. Log in to the Azure Portal.
  2. Navigate to Microsoft Sentinel within your resource group.
  3. Go to the Content Hub and search for the Mosaic Data Connector .
  4. Select the solution and click Install .

Step 3: Configure the connector

  1. Open Microsoft Sentinel in your Azure Portal.
  2. Navigate to Data Connectors and find Mosaic Security Connector (using Azure Functions) .
  3. Click the Open connector page to begin configuration.
  4. Follow the provided guide to complete the setup.

Step 4: Deploy the connector

Choose one of the following deployment options:

Option 1: Automated

Deploy using Azure Resource Manager (ARM) template

Use this method for automated deployment of the Mosaic connector.

  1. Click the Deploy to Azure .
  2. Select the appropriate Subscription , Resource Group , and Location .
  3. Ensure that the Resource Group doesn't contain any existing Windows apps if deploying in the same region.
  4. Provide the following parameters:
    • TransmitSecurityClientID : Client ID acquired in Step 1
    • TransmitSecurityClientSecret : Client Secret acquired in Step 1
    • TransmitSecurityUserActivityEndpoint : https://api.transmitsecurity.io/activities/v1/activities/user (for US and Global), https://api.eu.transmitsecurity.io/activities/v1/activities/user (for EU), https://api.ca.transmitsecurity.io/activities/v1/activities/user (for Canada)
    • TransmitSecurityAdminActivityEndpoint : https://api.transmitsecurity.io/activities/v1/activities/admin (for US and Global), https://api.eu.transmitsecurity.io/activities/v1/activities/admin (for EU), https://api.ca.transmitsecurity.io/activities/v1/activities/admin (for Canada)
    • TransmitSecurityTokenEndpoint : https://api.transmitsecurity.io/oidc/token (for US and Global), https://api.eu.transmitsecurity.io/oidc/token (for EU), https://api.ca.transmitsecurity.io/oidc/token (for Canada)
    • logAnalyticsUri : Obtained from Log Analytic Workspace > Properties
  5. Agree to the terms and conditions, then select Create to deploy .

Option 2: Manual

Deploy with Azure Functions

Follow these steps for a manual deployment via Visual Studio Code.

1. Deploy a Function App

  1. Make sure you have VS Code up&running.
  2. Download and extract the Azure Function App file to your local computer.
  3. In VS Code, open the extracted folder.
  4. In the Activity Bar , select the Azure icon, then click Deploy to Function App .
  5. If not signed in, sign in to Azure.
  6. Provide the required information:
    • Select Folder : Choose the folder containing your Function App.
    • Select Subscription : Choose your Azure subscription.
    • Function App Name : Enter a globally unique name.
    • Runtime : Choose Python 3.8.
    • Location : Select the same region as your Microsoft Sentinel for better performance.

After completing these steps, deployment will begin, and you’ll be notified once it’s done.

2. Configure the Function App

  1. In the Azure Portal, navigate to your Function App.
  2. Select Configuration under your Function App Name.
  3. Add the following environment variables with their respective values:
    • TransmitSecurityClientID : Client ID acquired in Step 1
    • TransmitSecurityClientSecret : Client Secret acquired in Step 1
    • TransmitSecurityUserActivityEndpoint : https://api.transmitsecurity.io/activities/v1/activities/user (for US and Global), https://api.eu.transmitsecurity.io/activities/v1/activities/user (for EU), https://api.ca.transmitsecurity.io/activities/v1/activities/user (for Canada)
    • TransmitSecurityAdminActivityEndpoint : https://api.transmitsecurity.io/activities/v1/activities/admin (for US and Global), https://api.eu.transmitsecurity.io/activities/v1/activities/admin (for EU), https://api.ca.transmitsecurity.io/activities/v1/activities/admin (for Canada)
    • TransmitSecurityTokenEndpoint : https://api.transmitsecurity.io/oidc/token (for US and Global), https://api.eu.transmitsecurity.io/oidc/token (for EU), https://api.ca.transmitsecurity.io/oidc/token (for Canada)
    • WorkspaceID : Obtained in Step 3 from the Data Connector page
    • WorkspaceKey : Obtained in Step 3 from the Data Connector page
    • logAnalyticsUri (optional for dedicated cloud environments): Obtained from Log Analytic Workspace > Properties
  4. Click Apply to save the settings.

Step 5: Check the operation

  1. Go to Log Analytics in your Azure Portal.
  2. Run the following query to check for ingested data:
Copy
Copied
TransmitSecurityAdminActivity_CL | where TimeGenerated > ago(1h)
TransmitSecurityUserActivity_CL | where TimeGenerated > ago(1h)
Troubleshooting

If no logs are found, ensure the Data Connector is configured correctly and that the Client ID and Client Secret values are accurate. You can also inspect the Azure Functions invocations logs for errors.