Oracle Cloud Infrastructure (using Azure Functions) connector for Microsoft Sentinel
The Oracle Cloud Infrastructure (OCI) data connector provides the capability to ingest OCI Logs from OCI Stream into Microsoft Sentinel using the OCI Streaming REST API.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | OCI_Logs_CL |
| Data collection rules support | Not currently supported |
| Supported by | Microsoft Corporation |
Query samples
All OCI Events
OCI_Logs_CL
| sort by TimeGenerated desc
Prerequisites
To integrate with Oracle Cloud Infrastructure (using Azure Functions) make sure you have:
- Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
- OCI API Credentials: API Key Configuration File and Private Key are required for OCI API connection. See the documentation to learn more about creating keys for API access
Vendor installation instructions
Note
This connector uses Azure Functions to connect to the Azure Blob Storage API to pull logs into Microsoft Sentinel. This might result in additional costs for data ingestion and for storing data in Azure Blob Storage costs. Check the Azure Functions pricing page and Azure Blob Storage pricing page for details.
(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.
Note
This data connector depends on a parser based on a Kusto Function to work as expected OCILogs which is deployed with the Microsoft Sentinel Solution.
STEP 1 - Creating Stream
- Log in to OCI console and go to navigation menu -> Analytics & AI -> Streaming
- Click Create Stream
- Select Stream Pool or create a new one
- Provide the Stream Name, Retention, Number of Partitions, Total Write Rate, Total Read Rate based on your data amount.
- Go to navigation menu -> Logging -> Service Connectors
- Click Create Service Connector
- Provide Connector Name, Description, Resource Compartment
- Select Source: Logging
- Select Target: Streaming
- (Optional) Configure Log Group, Filters or use custom search query to stream only logs that you need.
- Configure Target - select the strem created before.
- Click Create
Check the documentation to get more information about Streaming and Service Connectors.
STEP 2 - Creating credentials for OCI REST API
Follow the documentation to create Private Key and API Key Configuration File.
IMPORTANT: Save Private Key and API Key Configuration File created during this step as they will be used during deployment step.
STEP 3 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function
IMPORTANT: Before deploying the OCI data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as OCI API credentials, readily available.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for