# Azure Sentinel Stream integration using OMS (Deprecated)

## Overview

Microsoft Azure provides different mechanisms to send data to Sentinel ([more information](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/ReadMe.md)). Vectra AI uses the Log Analytics agent to send custom JSON to Azure Sentinel. This solution requires to install the [OMS Microsoft agent](https://github.com/microsoft/OMS-Agent-for-Linux) in a separate Linux instance (Cloud or on-premise). This separate instance with the OMS agent installed is using the TCP FluentD plugin to receive the Network Metadata from Vectra Cognito Stream in RAW JSON ([more information](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-json)). Then, the agent is forwarding the data to the configured Log Analytic workspace within Azure.

In Sentinel, the data coming from this connector is stored in the [c](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-syslog)ustom table named **Vectra\_CL**. The benefit of using a custom table is that the data is stored directly in key value pairs extracted automatically from the JSON payload.

```
!! We strongly recommend to use the on-premise solution as the data between Vectra Stream and the Microsoft agent is not encrypted.
```

## Solution

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-aeea7f771c45628103add1f20b75ec20f885a6e7%2F8c313394d16479292bf9993b5902fd4e658b0afdbad6e08509df222766ab591b.jpg?alt=media)

## Deployment of Vectra Stream Solution

From Microsoft Marketplace or Sentinel Content, search for Vectra. Tags in blue attached to each solution indicate which components are available.\
![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-1200610d9e9cd030f61e4104aab55842afbd17b3%2F1749d1aaad103f9623891e4675a3e827e56e27a244d077a138095d13556b9d41.jpg?alt=media)

Select Vectra AI Stream and click install (bottom right):\
![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-7c96128342274f78b995235868c1e90c8a7d4de3%2F1bbd7926621d38718e7ecd537eee2c551a56abd4f553397d71b0dcf9414ec5a3.jpg?alt=media)

This will redirect you to the page which provide an overview of the solution. Click "Create" to continue.\
![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-1e45f7737fa92170d027bad719af7b0050426d3c%2Fd4ff94131f1210babdc4b23baeb4746f2c0cfe39b5696cb979f5e03db8926573.jpg?alt=media)

In the next screen, configure the *subscription ID*, the *resource group* and the *workspace*, Click "Review and Create".\
![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-03729b79fb31fd129f92afe70308a16f61879a2b%2F9812f02e07709f4de9c54a1f197106519c3caf36967c47aabfa39e85335861c8.jpg?alt=media)

Once the validation is passed, click "Create":\
![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-2bc70229d573fe48f8fd3c9ac9f453f2e19a156a%2Fff459edf25208a38f361920dfe06578487e852a0e8867c25a8537ed8a5a92387.jpg?alt=media)

This will installed the different components of the Vectra Stream Solution within the configured workspace. If the deployment is successful, the following message must be displayed.\
![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-1162df2bf3904a0216086f9bb283382c473a6e27%2Fc4abccfda3d9ef8ba97efa52c8d20d78529dc3a5a8ecd1c7d64a84d636bdf6cb.jpg?alt=media)

## Validate the availability of the Vectra Stream Connector

Next step is to validate that the Vectra Stream Connector is available within within Sentinel. From the Azure Portal, Go to Sentinel > Data Connectors. Search for Vectra, the data connector for Vectra Stream should be installed:\
![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-5ebba47abc7f74d8ac0df25034757911e857f66a%2F23bcb6de3117e9947609751d86ec1aba765885c092f8af2d72c68786d4ae05c8.jpg?alt=media)

## Configuring the connector

### Overview

There would be 2 parts:

* Collecting the information required to setup the OMS Agent.
* Installing and configuring the OMS agent on a Linux host.

The Connector page contains all the instruction to install the agent and configure it (information will be similar to the below).

### Collect the information for the OMS Agent installation

From the Data connector page, select the **Vectra Stream** connector and click the "Open Connector page" button in the bottom right corner.

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-b8235cad207bc1febaac2e98202c06dba10b8574%2F97c69caa813b6fa5ae38e4e87423bce9dcd7fd811de12585602785b926cf3dfe.jpg?alt=media)

Choose from these 2 options:

* Install agent on Azure Linux Virtual machine
* Install agent on non-Azure Linux Machine

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-9532441d1d6f71fdc7092afa9e3438b88af309e3%2Feec5aa2386d796545046471b1acea1d1d433f5be7bbde0dd6bfc72fd53ef5a2a.jpg?alt=media)

Click the appropriate based on your preference. The is the example of choosing non-Azure Linux and Linux server tab:

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-179157f98d3f0c8b376dca974aecbf231332ac75%2Fa3dd9c94082ec183015b32e5f06b1e2c460c8604fb1907d55820db53971a64d8.jpg?alt=media)

Copy the one-liner agent installer and configuration. You will need it for the next step.

### Installation and configuring the OMS Agent

Use the one-liner CLI below and replace WORKSPACE\_ID and PRIMAREY\_KEY with the one for your Log Analytics Workspace (use the one-liner you copy in the last step):

```ckeditor_codeblock
wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <WORKSPACE_ID> -s <PRMARY_KEY> -d opinsights.azure.com
```

Follow the configuration steps below to get Vectra Stream metadata into Azure Sentinel. The Log Analytics agent is leveraged to send custom JSON into Azure Monitor, enabling the storage of the metadata into a custom table. For more information, refer to the [Azure Monitor Documentation](https://docs.microsoft.com/azure/azure-monitor/agents/data-sources-json?WT.mc_id=Portal-fx).

1. Copy config file for the log analytics agent: VectraStream.conf (see below)
2. Login to the server where you have installed Azure Log Analytics agent.
3. Copy VectraStream.conf (see below) to the /etc/opt/microsoft/omsagent/**workspace\_id**/conf/omsagent.d/ folder.
4. Edit VectraStream.conf as follows:

   i. configure an alternate port to send data to, if desired. Default port is 29009.

   ii. replace **workspace\_id** with real value of your Workspace ID.
5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:

   ```
    sudo /opt/microsoft/omsagent/bin/service_control restart
   ```

\_VectraStream.conf (available as an attachment to this article at the bottom of this page): \_

***

```ckeditor_codeblock
<source>
  type tcp
  port 29009
  bind 0.0.0.0
  format json
  tag oms.api.VectraStream
</source>

<filter oms.api.VectraStream>
   type record_transformer
   enable_ruby
   <record>
      hostname "${hostname}"
   </record>
</filter>

<match oms.api.VectraStream>
  type out_oms_api
  log_level info
  num_threads 5
  omsadmin_conf_path /etc/opt/microsoft/omsagent/<workspace_id>/conf/omsadmin.conf
  cert_path /etc/opt/microsoft/omsagent/<workspace_id>/certs/oms.crt
  key_path /etc/opt/microsoft/omsagent/<workspace_id>/certs/oms.key
  buffer_chunk_limit 10m
  buffer_type file
  buffer_path /var/opt/microsoft/omsagent/<workspace_id>/state/out_oms_api_vectrastream*.buffer
  buffer_queue_limit 10
  buffer_queue_full_action drop_oldest_chunk
  flush_interval 30s
  retry_limit 10
  retry_wait 30s
  max_retry_wait 9m
</match>
```

***

Save it and change the permission

```ckeditor_codeblock
sudo chown omsagent:omiusers /etc/opt/microsoft/omsagent/conf/omsagent.d/VectraStream.conf
```

## Configure Vectra Stream product

Configure Vectra AI Brain to forward Stream metadata in JSON format to your Azure Sentinel workspace via the Log Analytics Agent.

From the Vectra UI, navigate to Settings > Cognito Stream and Edit the destination configuration:

* Select Publisher: RAW JSON
* Set the server IP or hostname (which is the host which run the Log Analytics Agent)
* Set all the port to **29009** (this port can be modified if required)
* Save
* Set Log types (Select all log types available)
* Click on **Save**

### Attachments

{% file src="<https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-9d4de80cd449a95faf01bcfd5df9957659f34adb%2FVectraStream.conf.txt?alt=media>" %}