Microsoft Sentinel
Synopsis
Creates a collector that fetches security incidents from Azure Sentinel workspaces. Supports authentication, batch processing, and automatic incident tracking with incremental updates.
Schema
- id: <numeric>
name: <string>
description: <string>
type: sentinel
tags: <string[]>
pipelines: <pipeline[]>
status: <boolean>
properties:
tenant_id: <string>
client_id: <string>
client_secret: <string>
subscription_id: <string>
resource_group: <string>
workspace_name: <string>
batch_size: <numeric>
event_frequency: <numeric>
Configuration
The following are the minimum requirements to define the device.
Device
| Field | Required | Default | Description |
|---|---|---|---|
id | Y | Unique identifier | |
name | Y | Device name | |
description | N | - | Optional description |
type | Y | Must be sentinel | |
tags | N | - | Optional tags |
pipelines | N | - | Optional pre-processor pipelines |
status | N | true | Enable/disable the device |
Azure Authentication
| Field | Required | Default | Description |
|---|---|---|---|
tenant_id | Y | Azure tenant ID | |
client_id | Y | Azure client ID | |
client_secret | Y | Azure client secret | |
subscription_id | Y | Azure subscription ID |
Workspaces
| Field | Required | Default | Description |
|---|---|---|---|
resource_group | Y | Azure resource group name | |
workspace_name | Y | Log Analytics workspace name |
Collection
| Field | Required | Default | Description |
|---|---|---|---|
batch_size | N | 1000 | Number of incidents to fetch per batch |
event_frequency | N | 300 | Collection interval in seconds |
Advanced Features
Incidents
The collector captures comprehensive incident data such as basic incident details (ID, title, description), severity and status, classification and labels, owner information, temporal data (create, modify, activity dates and times), and information on resources.
Incremental Updates
The collector tracks the last processed incident's timestamp, fetches only new incidents since the last checkpoint, orders incidents by creation time, and spports batch processing.
Normalization
Incidents are automatically normalized with ECS field mapping in addition to using consistent timestamp formats, structured label handling, and owner information. (See Appendix for details of ECS.)
Examples
The following are commonly used configuration types.
Basic
A basic collector can be created as below:
Creating a simple Sentinel collector... | |
High-Volume
Large numbers of incidents can be collected:
Optimizing for high incident volumes... | |
Pipelines
Incidents can be enriched and processed:
Applying custom processing to incidents... | |
Multiple Workspaces
Information can be collected from multiple workspaces:
Configuring multiple workspace collectors... | |
Each workspace collector maintains its own checkpoint, and can be configured independently.
Incident Fields
The collector maps incident fields to standardized ECS fields:
| Sentinel Field | ECS Field | Description |
|---|---|---|
Title | event.name | Incident title |
Description | event.description | Incident description |
Severity | event.severity | Incident severity level |
Status | event.outcome | Current incident status |
Classification | event.classification | Incident classification |
CreatedTimeUTC | event.created | Incident creation time |
LastModifiedTimeUTC | event.last_modified | Last update time |
FirstActivityTimeUTC | event.start | First detected activity |
LastActivityTimeUTC | event.end | Latest detected activity |
OwnerEmail | user.email | Assigned owner's email |
OwnerAssignedTo | user.name | Assigned owner's name |
ResourceId | cloud.resource_id | Azure resource ID |
Labels | labels | Incident labels |
All timestamps are normalized at nanosecond level in UTC.