Use Azure Functions to connect Microsoft Sentinel to your data source

Note

Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.

You can use Azure Functions, in conjunction with various coding languages such as PowerShell or Python, to create a serverless connector to the REST API endpoints of your compatible data sources. Azure Function Apps then allow you to connect Microsoft Sentinel to your data source's REST API to pull in logs.

This article describes how to configure Microsoft Sentinel for using Azure Function Apps. You may also need to configure your source system, and you can find vendor- and product-specific information links in each data connector's page in the portal, or the section for your service in the Microsoft Sentinel data connectors reference page.

Note

  • Once ingested in to Microsoft Sentinel, data is stored in the geographic location of the workspace in which you're running Microsoft Sentinel.

    For long term retention, you may also want to store data in Azure Data Explorer. For more information, see Integrate Azure Data Explorer.

  • Using Azure Functions to ingest data into Microsoft Sentinel may result in additional data ingestion costs. For more information, see the Azure Functions pricing page.

Prerequisites

Make sure that you have the following permissions and credentials before using Azure Functions to connect Microsoft Sentinel to your data source and pull its logs into Microsoft Sentinel:

  • You must have read and write permissions on the Microsoft Sentinel workspace.

  • You must have read permissions to shared keys for the workspace. Learn more about workspace keys.

  • You must have read and write permissions on Azure Functions to create a Function App. Learn more about Azure Functions.

  • You will also need credentials for accessing the product's API - either a username and password, a token, a key, or some other combination. You may also need other API information such as an endpoint URI.

    For more information, see the documentation for the service you're connecting to and the section for your service in the Microsoft Sentinel data connectors reference page.

Configure and connect your data source

Note

  • You can securely store workspace and API authorization keys or tokens in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.

  • Some data connectors depend on a parser based on a Kusto Function to work as expected. Seethe section for your service in the Microsoft Sentinel data connectors reference page for links to instructions to create the Kusto function and alias.

STEP 1 - Get your source system's API credentials

Follow your source system's instructions to get its API credentials / authorization keys / tokens. Copy and paste them into a text file for later.

You can find details on the exact credentials you'll need, and links to your product's instructions for finding or creating them, on the data connector page in the portal and in the section for your service in the Microsoft Sentinel data connectors reference page.

You may also need to configure logging or other settings on your source system. You'll find the relevant instructions together with those in the preceding paragraph.

STEP 2 - Deploy the connector and the associated Azure Function App

Choose a deployment option

This method provides an automated deployment of your Azure Function-based connector using an ARM template.

  1. In the Microsoft Sentinel portal, select Data connectors. Select your Azure Functions-based connector from the list, and then Open connector page.

  2. Under Configuration, copy the Microsoft Sentinel workspace ID and primary key and paste them aside.

  3. Select Deploy to Azure. (You may have to scroll down to find the button.)

  4. The Custom deployment screen will appear.

    • Select a subscription, resource group, and region in which to deploy your Function App.

    • Enter your API credentials / authorization keys / tokens that you saved in Step 1 above.

    • Enter your Microsoft Sentinel Workspace ID and Workspace Key (primary key) that you copied and put aside.

      Note

      If using Azure Key Vault secrets for any of the values above, use the @Microsoft.KeyVault(SecretUri={Security Identifier}) schema in place of the string values. Refer to Key Vault references documentation for further details.

    • Complete any other fields in the form on the Custom deployment screen. See your data connector page in the portal or the section for your service in the Microsoft Sentinel data connectors reference page.

    • Select Review + create. When the validation completes, select Create.

Find your data

After a successful connection is established, the data appears in Logs under CustomLogs, in the tables listed in the section for your service in the Microsoft Sentinel data connectors reference page.

To query data, enter one of those table names - or the relevant Kusto function alias - in the query window.

See the Next steps tab in the connector page for some useful sample queries.

Validate connectivity

It may take up to 20 minutes until your logs start to appear in Log Analytics.

Next steps

In this document, you learned how to connect Microsoft Sentinel to your data source using Azure Functions-based connectors. To learn more about Microsoft Sentinel, see the following articles: