Microsoft Sentinel NDR (Detect) integration using AMA

Introduction

Vectra AI Detect for Microsoft Azure Sentinel v1.0 utilizes Microsoft OMS (Log Analytics) agent to collect event data from Vectra and send it to log analytics workspace. This agent is schedule for end-of-life August 31, 2024, and is replaced with the Azure Monitor Agent (AMA). This document explains how to configure Microsoft AMA to ingest Vectra event data into Microsoft Azure Sentinel Log Analytics.

Applicability

This document applies to environments where pre-existing deployments must migrate from OMS to AMA as well as for new deployments starting with AMA.

Architecture Summary

A data connector is deployed and configured to send Vectra data to log analytics. Once ingested into log analytics, Vectra data is stored in CEF format in the CommonSecurityLog. A workbook is included with the Vectra integration on the Content Hub and that workbook retrieves data from the CommonSecurityLog to provide the dashboards. Existing deployments will enable and configure AMA and data will be ingested into the existing CommonSecurityLog. When operational, this will allow the OMS agent to be deprovisioned and while there may be some duplicate records during the time both OMS and AMA are running there should be no impact on any saved queries. New deployments will need to enable and configure AMA and will need to install Vectra AI Detect from the content hub to obtain the Analytics Rules and Workbook but can simply ignore the OMS agent deployment instructions.

Pre-requisites

Vectra provides syslog CEF data in a format that allows for backward compatibility with older syslog collectors (including OMS) but AMA doesn’t support this format. To provide Vectra data in a compatible format for AMA, Logstash must be installed on the Linux server to perform the necessary transformation before handing off to rsyslog or syslog-ng.In both scenarios, the following instructions require the log analytics workspace and associated resource groups are all configured and known. Microsoft Azure Monitor Agent (AMA) operates on an Azure Arc enabled Linux server. Vectra sends data in syslog CEF, so AMA requires rsyslog or syslog-ng on the Linux server.

Deployment Details

Please follow the attached document titled QUX-Sentinel-AMA-Configuration-Guide.pdf for detailed installation and configuration instructions.

Sample Queries

The following includes sample queries that can be used.

Example of output:

Troubleshooting

In the Vectra Detect UI, there is a "test" button that you can use to send test messages and validate the setup.

1. Check that the syslog server is running on port 514:

2. Use tcpdump to make that there is incoming data from Vectra Detect:

3. Use the AMA CEF troubleshooting tool.

4. Scenario:

Issue: It appears that multiple scoring events are showing up in Sentinel even though the score has not changed.

Answer: Any update to the entity scoring, other than a score decrease, might appear as a duplicate. However, this is unlikely and can be verified by making a Postman API query to the /events/entity_scoring endpoint to validate there are multiple entries.

Also, by default data is not returned when the score decreases. The option to configure whether to ingest data when the entity score decreases is planned to be available in version 2 of Vectra AI Detect for Microsoft Azure Sentinel.

Attachments