Microsoft Azure Sentinel Plugin for Log Shipper

Microsoft Azure Sentinel Plugin for Log Shipper

This document explains how to configure your Azure Sentinel integration with the Log Shipper module of the Netskope Cloud Exchange platform. This plugin is used to deliver raw events, alerts, and Webtx data to the Azure Sentinel Platform. To access the plugin, you would need the credentials for the Azure Sentinel Platform.
This plugin only supports JSON data.

Prerequisites

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
  • A Netskope Cloud Exchange tenant with the WebTx plugin already configured.
  • An Azure Sentinel instance.

Note

Verify your Azure Sentinel instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

CE Version Compatibility

This plugin is compatible with Netskope CE v4.2.0 and v5.0.0.

Azure Sentinel Plugin Support

Microsoft Azure Sentinel plugin is used to ingest Netskope Events, Netskope Alerts data & Web Transaction data in JSON format to Azure Sentinel.The

Event SupportYes
Alert SupportYes
WebTx SupportYes
Permissions

Require an Azure Sentinel Account with Log Analytics workspace access.

API Details
List of APIs Used
API Endpoint Method Use Case
/api/logs POST Send log data to Log Analytics with the HTTP Data Collector

API Endpoint Sample

/api/logs

Method: POST
Parameters:
api-version=2016-04-01
Headers:
Content-Type: application/json
Log-Type: Netskope_Alerts1
x-ms-date: Wed, 06 Dec 2023 06:46:41 GMT
Authorization: SharedKey <WorkspaceID>:<Signature>
Request Body

{
	  "key1": "value1",
	  "key2": "value2",
	  "key3": "value3",
	  "key4": "value4”
}

API Request Endpoint

https://{CustomerID}.ods.opinsights.azure.com/<Resource>?api-version=2016-04-01

Sample API Response

200 OK
Performance Matrix

This performance reading is for a Large Stack CE tested on these VM specifications. These readings are added with the consideration that it will ingest around 10K file size in 11 seconds for Events, Alert, and 7.8K file size in 5 seconds for Webtx.

Stack details Size: Large
RAM: 32 GB
CPU: 16 Cores
Events, Alerts ingested to third-party SIEM 200K EPM
Webtx ingested to third-party SIEM 6 Mbps
User Agent

The user agent added in this plugin is in the following format:

 netskope-ce-<ce_version>-<module>-<plugin_name>-v<plugin_version>

For example:

Netskope-ce-5.0.0-cls-microsoft-azure-sentinel-v3.0.0

Workflow

  1. Get your Azure Sentinel Workspace ID and Primary Key.
  2. Configure the Azure Sentinel plugin.
  3. Configure a Log Shipper Business Rules.
  4. Configure the Log Shipper SIEM Mappings.
  5. Validate the plugin.

Click play to watch a video.

 

Get your Azure Sentinel Workspace ID and Primary Key

  1. Go to your Azure Sentinel instance. https://portal.azure.com/
  2. Log in to your Sentinel instance and click Microsoft Sentinel.
  3. Click Create on the Microsoft Sentinel page.
  4. Click Create a new workspace.
  5. Select a Resource Group, enter a Name, and select your Region. Click Review + Create.
  6. Click Create.
  7. It will take a few seconds to deploy. After deployment succeeds, click Refresh. Click on the Workspace that you created and click Add.
  8. It will take a few seconds to add a workspace.
  9. After successfully adding a workspace, go to Home > Log Analytics workspaces.
  10. Click on the workspace name that you created.
  11. Click Agents.
  12. Copy the Workspace ID and Primary Key. These are needed to configure the plugin.

Configure the Microsoft Sentinel Plugin

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Azure Sentinel (CLS) box to open the plugin creation pages.
  3. Enter these parameters:
    • Configuration Name: Create a unique name for the configuration.
    • Mapping: Select the valid Mapping. (Default Mapping for all plugins are available. If you want to Create New Mapping, follow the CLS guide to Create New Mapping.)
    • Use System Proxy: Enable if the proxy is required for communication.
    • Transform the raw logs: Disable if you need to send Raw Data. (Default: It will be enabled and send Transformed data).
  4. Click Next.
  5. Enter these parameters:
    • Workspace ID: The unique identifier of your Microsoft Azure Sentinel Workspace.Primary Key: The authentication key for your Microsoft Azure Sentinel Workspace.
    • Alerts Log Type Name: Custom Log Type name for alerts. Based on this name, schema for alerts will be created in Log Analytics Workspace with suffix _CL. Note that the value Netskope_Alerts or Netskope_Alerts_CL for this parameter matches the Netskope published playbooks in the Azure marketplace. In this log type, _CL will automatically be appended from Microsoft Azure.
    • Events Log Type Name: Custom Log Type name for events. Based on this name, schema for events will be created in Log Analytics Workspace with suffix _CL. Note that the value Netskope_Events or Netskope_Events_CL for this parameter matches the Netskope published playbooks in the Azure marketplace. In this log type, _CL will automatically be appended from Microsoft Azure.
    • WebTX Log Type Name: Custom Log Type name for web transactions. Based on this name, schema for web transactions will be created in Log Analytics Workspace with suffix _CL. Note that the value Netskope_WebTx or Netskope_WebTX_CL for this parameter matches the Netskope published playbooks in the Azure marketplace. In this log type, _CL will automatically be appended from Microsoft Azure.
  6. Click Save.

Configure Log Shipper Business Rules for Azure Sentinel

Skip this step if you do not want to filter out alerts or events before ingestion.

  1. Go to Log Shipper > Business Rules.
    image16.png
  2. Click Create New Rule.

    Note

    By default, there’s a business rule that filters all alerts and events. If you want to filter out any specific type of alert or event, create a new Business Rule.

    image17.png
  3. If creating a new rule, enter a Rule Name and select the filters to use.
  4. Click Save.

Configure the Log Shipper SIEM Mappings for Azure Sentinel

  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
  2. For Source, select the Netskope CLS plugin configuration, select a Business Rule, and for Destination, select the Azure Sentinel plugin configuration.
  3. Click on Save.

Validate the Azure Sentinel Plugin

To validate the plugin workflow, you can check from Netskope Cloud Exchange and from Azure Sentinel instance.

Validate the Pull

Go to Logging, and search for the pulled logs. 


Validate the Push

To validate the plugin workflow in Netskope Cloud Exchange.

  1. Go to Logging and Search for ingested events with the filter message contains ingested.
  2. The ingested logs will be filtered.

To validate the push in the Azure platform:

  1. Log in to the Azure Platform.
  2. Click Microsoft Sentinel, and then click on the workspace you created.
  3. Click Logs and enter the table name that you used while configuring the Azure Sentinel Plugin.

Troubleshooting

While checking the data in the Table data is not visible.

Wait for 20-30 minutes for the data to be visible in the table along with the field values
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-ingestion-time

Share this Doc

Microsoft Azure Sentinel Plugin for Log Shipper

Or copy link

In this topic ...