Custom Data Connector into Sentinel Content-Hub

LXF 205 Reputation points
2024-05-31T01:00:56.8333333+00:00

Hello Microsoft Community,

We are planning to build & integrate our custom data connector into the Sentinel Content-Hub to enable data analysis services for our customers who are interested in Azure Sentinel. And our data, which is unique and generated by our server located elsewhere on the Internet.

We have some questions regarding the implementation:

  1. Is a DCE mandatory in our situation ?
  2. After reviewing the docs and codes on the wiki and GitHub, we identified two possible approaches to building data connectors. We would appreciate your guidance on which approach is more advisable:
    Approach 1:
    
    1. During the deployment of the data connector, generate and return the IDs for DCR or DCE to our external server.
    
    2. Our server would then manage these IDs and use these IDs to send custom events to Sentinel.
    
    Approach 2:
    1. Similar to solutions like Cisco’s, construct a data connector based on a “RestApiPoller” type, which obtains tokens via OAuth2 from a “TokenEndpoint” upon deployment.
    
    2. This data connector would proactively request security events from an “apiEndpoint”.
    
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,164 questions
Azure Startups
Azure Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Startups: Companies that are in their initial stages of business and typically developing a business model and seeking financing.
398 questions
{count} votes

Accepted answer
  1. Akshay-MSFT 17,876 Reputation points Microsoft Employee
    2024-05-31T13:55:18.13+00:00

    @LXF

    PFB answers inline:

    • Is a DCE mandatory in our situation?

    As per: When is a DCE required?

    Prior to March 31, 2024, a DCE was required for all data collection scenarios using a DCR that required an endpoint. Any DCR created after this date includes its own endpoints for logs and metrics. The URL for these endpoints can be found in the logsIngestion and metricsIngestion properties of the DCR. These endpoints can be used instead of a DCE for any direct ingestion scenarios.

    A DCR with endpoints can also use a DCE. In this case, you can choose whether to use the DCE or the DCR endpoints for each of the clients that use the DCR.> > Data collection endpoints only support Log Analytics workspaces as a destination for collected data. Custom metrics (preview) collected and uploaded via Azure Monitor Agent aren't currently controlled by DCEs.

    • After reviewing the docs and codes on the wiki and GitHub, we identified two possible approaches to building data connectors. We would appreciate your guidance on which approach is more advisable?

    Approach 1 may not be a practical solution as to build a data connector we have supported methods defined and none of them would ingest logs from on-prem endpoint to sentinel workspace.

    You may follow the second approach as it is a tested method which uses

    Azure Monitor Logs: DCR-based Custom Logs and Codeless Connector Platform (CCP), this would require you to have a DCE configured (pre-requisite for CCP).

    If you don't have any further queries and the suggested answer is as per your business need, please "Accept the answer", This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.