Console
    Contact Us Start free

    Collect Microsoft Sentinel logs

    Supported in:

    Overview

    This parser extracts fields from Microsoft Sentinel JSON logs, performs transformations like IP address extraction and string manipulation, and maps the extracted data to the UDM, including principal, target, security_result, and metadata fields. It also handles various data types and merges extracted entities into the UDM structure.

    Before you begin

    Ensure that you have the following prerequisites:

    • Google SecOps instance.
    • Access to Microsoft Sentinel.

    Set up feeds from SIEM Settings > Feeds

    To configure a feed, follow these steps:

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed; for example, Microsoft Sentinel Logs.
    5. Select Webhookas the Source type.
    6. Select Microsoft Sentinelas the Log type.
    7. Click Next.
    8. Optional: Specify values for the following input parameters:
      • Split delimiter: the delimiter that is used to separate log lines, such as \n .
    9. Click Next.
    10. Review your new feed configuration in the Finalizescreen, and then click Submit.
    11. Click Generate Secret Keyto generate a secret key to authenticate this feed.
    12. Copy and store the secret key as you cannot view this secret again. You can generate a new secret key again, but regeneration of the secret key makes the previous secret key obsolete.
    13. From the Detailstab, copy the feed endpoint URL from the Endpoint Informationfield. You need to specify this endpoint URL in your client application.
    14. Click Done.

    Create an API key for the webhook feed

    1. Go to Google Cloud console > Credentials.

      Go to Credentials

    2. Click Create credentials, and then select API key.

    3. Restrict the API key access to the Chronicle API.

    Specify the endpoint URL

    1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

    2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

       X-goog-api-key = API_KEY 
X-Webhook-Access-Key = SECRET

      Recommendation: Specify the API key as a header instead of specifying it in the URL. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

        ENDPOINT_URL 
?key= API_KEY 
&secret= SECRET

    Replace the following:

    • ENDPOINT_URL : the feed endpoint URL.
    • API_KEY : the API key to authenticate to Google Security Operations.
    • SECRET : the secret key that you generated to authenticate the feed.

    Configure Logic App for Microsoft Sentinel Incidents

    To configure Logic App for Microsoft Sentinel Incidents, follow these steps:

    1. Sign in to Azure Portal .
    2. Click Create a resource.
    3. Search for Logic App.
    4. Click Createto start the creation process.
    5. Specify values for the following input parameters:
      • Subscription: Select the subscription.
      • Resource group: Select the resource group.
      • Name: Enter a name for the Logic App.
      • Region: Select the region.
      • Log Analytics workspace: Select the Log Analytics workspace.
    6. Click Review + create.
    7. Click Create.
    8. After the Logic App is created, click Go to resource.
    9. Click Development Tools > Logic App Designer.
    10. Click Add a trigger.
    11. Search for Microsoft Sentinel.
    12. Select Microsoft Sentinel incidentas the trigger.
    13. If you haven't already created a connection to Microsoft Sentinel, you'll need to do so now. Click Create newand follow the prompts to authenticate.
    14. Click Insert a new step.
    15. Click Add an action.
    16. Search for and select HTTPas the action.
    17. Specify values for the following input parameters:
      • URI: the feed endpoint URL.
      • Method: POST
      • Headers: Add the following headers:
        • Content-Type: application/json
        • X-goog-api-key: the API key to authenticate to Google Security Operations.
        • X-Webhook-Access-Key: the secret key that you generated to authenticate the feed.

    Configure Logic App for Microsoft Sentinel Alerts

    To configure Logic App for Microsoft Sentinel Alerts, follow these steps:

    1. Go to Azure Portal Home Page .
    2. Click Create a resource.
    3. Search for Logic App.
    4. Click Createto start the creation process.
    5. Specify values for the following input parameters:
      • Subscription: Select the subscription.
      • Resource group: Select the resource group.
      • Name: Enter a name for the Logic App.
      • Region: Select the region.
      • Log Analytics workspace: Select the Log Analytics workspace.
    6. Click Review + create.
    7. Click Create.
    8. After the Logic App is created, click Go to resource.
    9. Click Development Tools > Logic App Designer.
    10. Click Add a trigger.
    11. Search for Microsoft Sentinel.
    12. Select Microsoft Sentinel alertas the trigger.
    13. If you haven't already created a connection to Microsoft Sentinel, you'll need to do so now. Click Create newand follow the prompts to authenticate.
    14. Click Insert a new step.
    15. Click Add an action.
    16. Search for and select HTTPas the action.
    17. Specify values for the following input parameters:
      • URI: the feed endpoint URL.
      • Method: POST
      • Headers: Add the following headers:
        • Content-Type: application/json
        • X-goog-api-key: the API key to authenticate to Google Security Operations.
        • X-Webhook-Access-Key: the secret key that you generated to authenticate the feed.

    Configure Automation rules for Microsoft Sentinel

    To configure Automation rules for Microsoft Sentinel, follow these steps:

    1. Go to your Microsoft Sentinel Workspace.
    2. Click Configuration > Automation.
    3. Click Create.
    4. Select Automation rule.
    5. Specify values for the following input parameters:
      • Name: Enter a name for the automation rule.
      • Trigger: select When incident is created.
      • Actions: select Run playbook > Logic App created for incidents.
    6. Click Apply.
    7. Click Create.
    8. Select Automation rule.
    9. Specify values for the following input parameters:
      • Name: Enter a name for the automation rule.
      • Trigger: select When incident is updated.
      • Condition: click Add > Condition (And) > Status > Changed.
      • Actions: select Run playbook > Logic App created for incidents.
    10. Click Apply.
    11. Click Create.
    12. Select Automation rule.
    13. Specify values for the following input parameters:
      • Name: Enter a name for the automation rule.
      • Trigger: select When alert is created.
      • Actions: select Run playbook > Logic App created for alerts.
    14. Click Apply.

    UDM Mapping Table

    Log Field UDM Mapping Logic
    AlertGenerationStatus
    		security_result.detection_fields.AlertGenerationStatus Directly mapped from the ExtendedProperties field after JSON parsing.
    AlertLink
    		principal.labels.AlertLink Directly mapped.
    AlertName
    		security_result.rule_name Directly mapped.
    AlertSeverity
    		security_result.severity Directly mapped, converted to uppercase. If the value is one of HIGH, MEDIUM, LOW, CRITICAL, or UNKNOWN_SEVERITY, it's mapped to security_result.severity . Otherwise, it's mapped to security_result.severity_details .
    AlertType
    		security_result.threat_name Directly mapped.
    Category
    		security_result.detection_fields.Category Directly mapped from the ExtendedProperties field after JSON parsing.
    CompromisedEntity
    		principal.resource.attribute.labels.CompromisedEntity Directly mapped.
    CompromisedEntityId
    		security_result.detection_fields.CompromisedEntityId Directly mapped from the ExtendedProperties field after JSON parsing.
    ConfidenceLevel
    		security_result.confidence_details Directly mapped.
    ConfidenceScore
    		security_result.detection_fields.ConfidenceScore Directly mapped.
    cribl_pipe
    		additional.fields.cribl_pipe Directly mapped.
    Description
    		security_result.description Directly mapped.
    DestinationDevice
    		security_result.detection_fields.DestinationDevice OR target.ip Mapped from the ExtendedProperties field after JSON parsing. If the value is a valid IP address, it's mapped to target.ip . Otherwise, it's mapped as a detection field.
    DestinationDeviceAddress
    		target.ip Mapped from the ExtendedProperties field after JSON parsing, only if a valid IP address.
    DeviceId
    		security_result.detection_fields.DeviceId Directly mapped from the ExtendedProperties field after JSON parsing.
    DisplayName
    		security_result.summary Directly mapped.
    EndTime
    		about.labels.EndTime Directly mapped.
    Entities.Address
    		principal.asset.ip Extracted from the Entities array after JSON parsing. Only IP addresses are mapped.
    Entities.HostName
    		principal.asset.hostname OR principal.asset.ip Extracted from the Entities array after JSON parsing. If the value is a valid IP address, it's mapped to principal.asset.ip . Otherwise, it's mapped to principal.asset.hostname .
    Entities.IoTDevice.DeviceId
    		security_result.detection_fields.IoTDeviceID Extracted from the Entities array after JSON parsing.
    Entities.IoTDevice.DeviceType
    		security_result.detection_fields.IoTDeviceType Extracted from the Entities array after JSON parsing.
    Entities.IoTDevice.DeviceTypeId
    		security_result.detection_fields.IoTDeviceTypeId Extracted from the Entities array after JSON parsing.
    Entities.IoTDevice.Importance
    		security_result.detection_fields.IoTDeviceImportance Extracted from the Entities array after JSON parsing.
    Entities.IoTDevice.IoTSecurityAgentId
    		security_result.detection_fields.IoTSecurityAgentId Extracted from the Entities array after JSON parsing.
    Entities.IoTDevice.Manufacturer
    		security_result.detection_fields.IoT Manufacturer Extracted from the Entities array after JSON parsing.
    Entities.IoTDevice.OperatingSystem
    		principal.asset.platform_software.platform_version Extracted from the Entities array after JSON parsing, trailing spaces removed.
    Entities.IoTDevice.PurdueLayer
    		security_result.detection_fields.IoT PurdueLayer Extracted from the Entities array after JSON parsing.
    Entities.IoTDevice.Sensor
    		security_result.detection_fields.IoT Sensor Extracted from the Entities array after JSON parsing.
    ExtendedProperties.Protocol
    		security_result.detection_fields.Protocol Directly mapped from the ExtendedProperties field after JSON parsing.
    ExtendedProperties.SensorId
    		security_result.detection_fields.SensorId Directly mapped from the ExtendedProperties field after JSON parsing.
    ExtendedProperties.SourceDevice
    		principal.ip OR security_result.detection_fields.SourceDevice Mapped from the ExtendedProperties field after JSON parsing. If the value is a valid IP address, it's mapped to principal.ip . Otherwise, it's mapped as a detection field.
    ExtendedProperties.SourceDeviceAddress
    		principal.ip Mapped from the ExtendedProperties field after JSON parsing, only if a valid IP address.
    IsIncident
    		security_result.detection_fields.IsIncident Directly mapped, converted to string.
    ProcessingEndTime
    		about.labels.ProcessingEndTime Directly mapped.
    ProductComponentName
    		principal.resource.attribute.labels.ProductComponentName Directly mapped.
    ProductName
    		principal.resource.attribute.labels.ProductName Directly mapped.
    ProviderName
    		principal.resource.attribute.labels.ProviderName Directly mapped.
    ResourceId
    		principal.resource.product_object_id , target.resource.name Directly mapped.
    SourceComputerId
    		principal.asset.asset_id Directly mapped, prefixed with "SourceComputerId:".
    SourceSystem
    		security_result.detection_fields.SourceSystem Directly mapped.
    StartTime
    		about.labels.StartTime Directly mapped.
    Status
    		security_result.detection_fields.Status Directly mapped.
    SystemAlertId
    		metadata.product_log_id Directly mapped.
    Tactics
    		security_result.attack_details.tactics.name Extracted from the Tactics field after JSON parsing and backslash removal.
    Techniques
    		security_result.attack_details.techniques.id Extracted from the Techniques field after JSON parsing and backslash removal.
    TenantId
    		additional.fields.TenantId Directly mapped.
    TimeGenerated
    		about.labels.TimeGenerated Directly mapped.
    timestamp
    		metadata.event_timestamp , events.timestamp Directly mapped.
    VendorName
    		metadata.vendor_name Directly mapped.
    VendorOriginalId
    		additional.fields.VendorOriginalId Directly mapped.
    _time
    		metadata.event_timestamp , events.timestamp Parsed as a timestamp using UNIX or UNIX_MS format.
    (Parser Logic)
    		 metadata.event_type Set to "USER_RESOURCE_ACCESS" if principal, target, and ResourceId are present. Otherwise, set to "GENERIC_EVENT".
    (Parser Logic)
    		 metadata.log_type Set to "MICROSOFT_SENTINEL".
    (Parser Logic)
    		 metadata.product_name Set to "MICROSOFT_SENTINEL".

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: