Feed events to Microsoft Sentinel

You can feed data to Microsoft Sentinel via Mosaic Data Connector. This plugin will help you keep track of activity by polling Event streaming API.

Step 1: Configure a management app

In your Mosaic tenant, configure a management app. Give the app a suitable name, for example, MyAzureSentinelLogStream.

Note

After saving the management app, open it again and note the Client ID and Client Secret values. You’ll need these parameters to configure the Azure Sentinel Solution.

Step 2: Create event streams

Before you can start feeding events to Sentinel, you have to enable data collection and create event streams in Mosaic. You can create as many event streams as needed.

  1. Enable event collection. Specify the type of events you want to collect.
Example
  • To collect user management events (logins, etc.), use /activities/start-collect?type=cis
  • To collect detection and response events, use /activities/start-collect?type=risk
  • To collect identity verification events, use /activities/start-collect?type=verify
  • To collect admin events, use /activities/start-collect?type=admin
Copy
Copied
import fetch from 'node-fetch';

async function run() {
  const query = new URLSearchParams({
    type: '<TYPE>', // Event type. One of cis, admin, risk, verify
  }).toString();

  const resp = await fetch(
    `https://api.transmitsecurity.io/activities/v1/activities/start-collect?${query}`,
    {
      method: 'PUT',
      headers: {
        Authorization: 'Bearer <YOUR_TOKEN_HERE>' // Client access token
      }
    }
  );

  const data = await resp.text();
  console.log(data);
}

run();
  1. Create an event stream. Make sure to provide a ID to identify the stream. The stream ID should be a continuous string, without spaces, and unique for each stream.
Copy
Copied
import fetch from 'node-fetch';

async function run() {
  const query = new URLSearchParams({
    type: '<TYPE>', // Event type. One of cis, admin, risk, verify
    stream_id: 'string' // Unique stream ID, without spaces
  }).toString();

  const resp = await fetch(
    `https://api.transmitsecurity.io/activities/v1/activities/stream?${query}`,
    {
      method: 'PUT',
      headers: {
        Authorization: 'Bearer <YOUR_TOKEN_HERE>' // Client access token
      }
    }
  );

  const data = await resp.text();
  console.log(data);
}

run();

Step 3: Install the solution

  1. Log in to the Azure Portal.
  2. Navigate to Microsoft Sentinel within your resource group.
  3. Go to the Content Hub and search for the Mosaic Data Connector .
  4. Select the solution and click Install .

Step 4: Configure the connector

  1. Open Microsoft Sentinel in your Azure Portal.
  2. Navigate to Data Connectors and find Mosaic Security Connector (using Azure Functions) .
  3. Click the Open connector page to begin configuration.
  4. Follow the provided guide to complete the setup.

Step 5: Deploy the connector

Choose one of the following deployment options:

Option 1: Automated

Deploy using Azure Resource Manager (ARM) template

Use this method for automated deployment of the Mosaic connector.

  1. Click the Deploy to Azure .
  2. Select the appropriate Subscription , Resource Group , and Location .
  3. Ensure that the Resource Group doesn't contain any existing Windows apps if deploying in the same region.
  4. Provide the following parameters:
    • TransmitSecurityClientID : Client ID acquired in Step 1
    • TransmitSecurityClientSecret : Client Secret acquired in Step 1
    • TransmitSecurityUserActivityEndpoint : https://api.transmitsecurity.io/activities/v1/activities/collect?type=cis&stream_id={ID} where {ID} is the stream ID created in Step 2 (use api.eu.transmitsecurity.io for the EU and api.ca.transmitsecurity.io for Canada).
    • TransmitSecurityAdminActivityEndpoint : https://api.transmitsecurity.io/activities/v1/activities/collect?type=admin&stream_id={ID} where {ID} is the stream ID created in Step 2 (use api.eu.transmitsecurity.io for the EU and api.ca.transmitsecurity.io for Canada).
    • TransmitSecurityTokenEndpoint : https://api.transmitsecurity.io/oidc/token (use api.eu.transmitsecurity.io for the EU and api.ca.transmitsecurity.io for Canada).
    • logAnalyticsUri : Obtained from Log Analytic Workspace > Properties
  5. Agree to the terms and conditions, then select Create to deploy .
Note

If you are interested in collecting all platform events (cis, verify, risk, and admin), you'll have to set up several connectors as you can only feed events from two streams to each connector.

Option 2: Manual

Deploy with Azure Functions

Follow these steps for a manual deployment via Visual Studio Code.

1. Deploy a Function App

  1. Make sure you have VS Code up&running.
  2. Download and extract the Azure Function App file to your local computer.
  3. In VS Code, open the extracted folder.
  4. In the Activity Bar , select the Azure icon, then click Deploy to Function App .
  5. If not signed in, sign in to Azure.
  6. Provide the required information:
    • Select Folder : Choose the folder containing your Function App.
    • Select Subscription : Choose your Azure subscription.
    • Function App Name : Enter a globally unique name.
    • Runtime : Choose Python 3.8.
    • Location : Select the same region as your Microsoft Sentinel for better performance.

After completing these steps, deployment will begin, and you’ll be notified once it’s done.

2. Configure the Function App

  1. In the Azure Portal, navigate to your Function App.
  2. Select Configuration under your Function App Name.
  3. Add the following environment variables with their respective values:
    • TransmitSecurityClientID : Client ID acquired in Step 1
    • TransmitSecurityClientSecret : Client Secret acquired in Step 1
    • TransmitSecurityUserActivityEndpoint : https://api.transmitsecurity.io/activities/v1/activities/collect?type=cis&stream_id={ID} where {ID} is the stream ID created in Step 2 (use api.eu.transmitsecurity.io for the EU and api.ca.transmitsecurity.io for Canada).
    • TransmitSecurityAdminActivityEndpoint : https://api.transmitsecurity.io/activities/v1/activities/collect?type=admin&stream_id={ID} where {ID} is the stream ID created in Step 2 (use api.eu.transmitsecurity.io for the EU and api.ca.transmitsecurity.io for Canada).
    • TransmitSecurityTokenEndpoint : https://api.transmitsecurity.io/oidc/token (use api.eu.transmitsecurity.io for the EU and api.ca.transmitsecurity.io for Canada).
    • WorkspaceID : Obtained in Step 4 from the Data Connector page
    • WorkspaceKey : Obtained in Step 4 from the Data Connector page
    • logAnalyticsUri (optional for dedicated cloud environments): Obtained from Log Analytic Workspace > Properties
  4. Click Apply to save the settings.
Note

If you are interested in collecting all platform events (cis, verify, risk, and admin), you'll have to set up several connectors as you can only feed events from two streams to each connector.

Step 6: Check the operation

  1. Go to Log Analytics in your Azure Portal.
  2. Run the following query to check for ingested data:
Copy
Copied
TransmitSecurityAdminActivity_CL | where TimeGenerated > ago(1h)
TransmitSecurityUserActivity_CL | where TimeGenerated > ago(1h)
Troubleshooting

If no logs are found, ensure the Data Connector is configured correctly and that the Client ID and Client Secret values are accurate. You can also inspect the Azure Functions invocations logs for errors.