Azure Sentinel Stream integration using OMS (Deprecated)

Overview

Microsoft Azure provides different mechanisms to send data to Sentinel (more information). Vectra AI uses the Log Analytics agent to send custom JSON to Azure Sentinel. This solution requires to install the OMS Microsoft agent in a separate Linux instance (Cloud or on-premise). This separate instance with the OMS agent installed is using the TCP FluentD plugin to receive the Network Metadata from Vectra Cognito Stream in RAW JSON (more information). Then, the agent is forwarding the data to the configured Log Analytic workspace within Azure.

In Sentinel, the data coming from this connector is stored in the custom table named Vectra_CL. The benefit of using a custom table is that the data is stored directly in key value pairs extracted automatically from the JSON payload.

!! We strongly recommend to use the on-premise solution as the data between Vectra Stream and the Microsoft agent is not encrypted.

Solution

Deployment of Vectra Stream Solution

From Microsoft Marketplace or Sentinel Content, search for Vectra. Tags in blue attached to each solution indicate which components are available.

Select Vectra AI Stream and click install (bottom right):

This will redirect you to the page which provide an overview of the solution. Click "Create" to continue.

In the next screen, configure the subscription ID, the resource group and the workspace, Click "Review and Create".

Once the validation is passed, click "Create":

This will installed the different components of the Vectra Stream Solution within the configured workspace. If the deployment is successful, the following message must be displayed.

Validate the availability of the Vectra Stream Connector

Next step is to validate that the Vectra Stream Connector is available within within Sentinel. From the Azure Portal, Go to Sentinel > Data Connectors. Search for Vectra, the data connector for Vectra Stream should be installed:

Configuring the connector

Overview

There would be 2 parts:

• Collecting the information required to setup the OMS Agent.

• Installing and configuring the OMS agent on a Linux host.

The Connector page contains all the instruction to install the agent and configure it (information will be similar to the below).

Collect the information for the OMS Agent installation

From the Data connector page, select the Vectra Stream connector and click the "Open Connector page" button in the bottom right corner.

Choose from these 2 options:

• Install agent on Azure Linux Virtual machine

• Install agent on non-Azure Linux Machine

Click the appropriate based on your preference. The is the example of choosing non-Azure Linux and Linux server tab:

Copy the one-liner agent installer and configuration. You will need it for the next step.

Installation and configuring the OMS Agent

Use the one-liner CLI below and replace WORKSPACE_ID and PRIMAREY_KEY with the one for your Log Analytics Workspace (use the one-liner you copy in the last step):

Follow the configuration steps below to get Vectra Stream metadata into Azure Sentinel. The Log Analytics agent is leveraged to send custom JSON into Azure Monitor, enabling the storage of the metadata into a custom table. For more information, refer to the Azure Monitor Documentation.

1. Copy config file for the log analytics agent: VectraStream.conf (see below)

2. Login to the server where you have installed Azure Log Analytics agent.

3. Copy VectraStream.conf (see below) to the /etc/opt/microsoft/omsagent/workspace_id/conf/omsagent.d/ folder.

4. Edit VectraStream.conf as follows:

   i. configure an alternate port to send data to, if desired. Default port is 29009.

   ii. replace workspace_id with real value of your Workspace ID.

5. Save changes and restart the Azure Log Analytics agent for Linux service with the following command:

_VectraStream.conf (available as an attachment to this article at the bottom of this page): _

Save it and change the permission

Configure Vectra Stream product

Configure Vectra AI Brain to forward Stream metadata in JSON format to your Azure Sentinel workspace via the Log Analytics Agent.

From the Vectra UI, navigate to Settings > Cognito Stream and Edit the destination configuration:

• Select Publisher: RAW JSON

• Set the server IP or hostname (which is the host which run the Log Analytics Agent)

• Set all the port to 29009 (this port can be modified if required)

• Save

• Set Log types (Select all log types available)

• Click on Save

Attachments