Cisco ETD (using Azure Functions) connector for Microsoft Sentinel
The connector fetches data from ETD api for threat analysis
This is autogenerated content. For changes, contact the solution provider.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | CiscoETD_CL |
| Data collection rules support | Not currently supported |
| Supported by | Cisco Systems |
Query samples
Incidents aggregated over a period on verdict type
CiscoETD_CL
| summarize ThreatCount = count() by verdict_category_s, TimeBin = bin(TimeGenerated, 1h)
| project TimeBin, verdict_category_s, ThreatCount
| render columnchart
Prerequisites
To integrate with Cisco ETD (using Azure Functions) make sure you have:
- Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions.
- Email Threat Defense API, API key, Client ID and Secret: Ensure you have the API key, Client ID and Secret key.
Vendor installation instructions
Note
This connector uses Azure Functions to connect to the ETD API to pull its logs into Microsoft Sentinel.
Follow the deployment steps to deploy the connector and the associated Azure Function
IMPORTANT: Before deploying the ETD data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).
Azure Resource Manager (ARM) Template
Use this method for automated deployment of the Cisco ETD data connector using an ARM Template.
Click the Deploy to Azure button below.
Select the preferred Subscription, Resource Group and Region.
Enter the WorkspaceID, SharedKey, ClientID, ClientSecret, ApiKey, Verdicts, ETD Region
Click Create to deploy.
Next steps
For more information, go to the related solution in the Azure Marketplace.