HomeDocumentationAPI Reference
Log In
Documentation

Sentinel Replication

Sandfly supports the replication of results data to an external Sentinel database for independent, long-term storage and analysis.

ℹ️

INFO: Upgrade Feature - Sentinel Replication

The ability to configure and use Sentinel Replication requires an upgraded plan. Please see https://www.sandflysecurity.com/get-sandfly/ for details.

Configure Sentinel for Result Replication

Prepare the Azure Workspace

To send events from Sandfly to Microsoft Sentinel, there are four main steps required to configure the Azure Monitor.

  1. Create Credentials via Azure App Registration
    • Application (client) ID
    • Directory (tenant) ID
    • Application Secret Value
  2. Configure the Role Assignment for the Application
  3. Create a Data Collection Endpoint (DCE)
    • Logs ingestion endpoint URL
  4. Create a Custom Table for Sandfly Events
    • Data Collection Rule (DCR)
    • Custom Table Stream Name

Once all the steps are complete, there will be 6 artifacts required to configure the Sandfly Server connection to Azure Sentinel.

  1. Application (client) ID
  2. Directory (tenant) ID
  3. Application Secret Value
  4. Logs Ingestion Endpoint URL
  5. Data Collection Rule (DCR) Immutable ID
  6. Custom Table Stream Name

Create Credentials via Azure App Registration

  1. Navigate to the Azure Portal Home as an Administrator
  2. Search for and navigate to the portal App registrations section
  3. Click on New registration
    • Name the application, for example: SandflyResults
    • Select Accounts in this organizational directory only
    • Ignore the Redirect URI
    • Click on Register
  4. On the Overview blade
    • Save the Application (client) ID
    • Save the Directory (tenant) ID
  5. On the Overview blade, click on Add a certificate or secret
  6. Click on New client secret
    • Enter a Description
    • Select the Expires value (Recommended default is 180 days, Sandfly recommends 365 days)
    • NOTE: Save the Value now as you will not be able to view it later

NOTE: Make sure you have saved the following values from this section:

  • Application (client) ID
  • Directory (tenant) ID
  • Application Secret Value

Configure the Role Assignment for the Application

  1. Navigate to the Azure Portal Home
  2. Open Subscriptions and select the Subscription Name
  3. Click on Access Control (IAM)
  4. Select Add > Add role assignment
  5. Search for and select Monitoring Metrics Publisher
  6. Click Next
  7. On the Add role assignment blade, verify the role is Monitoring Metrics Publisher
  8. Click Select Members
  9. In the Search by name or email address type the name of the Application (SandflyResults)
  10. Click on the Application Name
  11. Verify the Application is listed under Selected members
  12. Click Select
  13. Verify the Application is listed under the Members section
  14. Click Review + assign and verify the Application is listed under the Members section
  15. Click Review + assign again
  16. Click Refresh and verify the Application is listed under Monitoring Metrics Publisher

Create a Data Collection Endpoint

  1. In the Azure Portal, search for and navigate to Data collection endpoints
  2. Click Create
    • Enter the Endpoint Name
    • Select the Subscription
    • Select or Create new Resource Group
    • Select the Region
    • Click Review + create
    • Review the details and click Create
  3. Click Refresh to verify the new DCE has been created
  4. Select the newly created DCE
  5. On the Overview blade
    • Save the Logs Ingestion endpoint URL (e.g., https://sandfly-demo-v1-abcd.eastus2-1.ingest.monitor.azure.com)
    • https://<Endpoint-Name>-<Identifier>.<Region>.ingest.monitor.azure.com

NOTE: make sure you have saved the following values from this section:

  • Logs Ingestion endpoint URL

Create a Custom Table for Sandfly Alarms

  1. In the Azure Portal, search for and navigate to the Log Analytics workspaces and select your workspace
  2. Expand the Settings section and select Tables
  3. Click on Create > New custom log (DCR-based)
  4. Enter the Table Name (Note: do not need to add _CL extension, it is added automatically)
  5. Enter the (Optional) Description
  6. Click Create a new data collection rule
    • Select the Subscription and Resource group
    • Enter the Name
    • Click Done
  7. Select the Data collection endpoint created previously
  8. Click Next
  9. On the Schema and transformation blade
    • Select Upload sample file and choose the sentinel_template.json file, which is included in the sandfly-setup bundle in the following directory: sandfly-setup/integrations/sentinel/
  10. Verify the fields and data are uploaded correctly
    • Click Transformation editor to make any changes
  11. Click Next
  12. Click Create
  13. Verify the new Custom Table appears in the Tables list (may need to refresh the page)
  14. Search for and navigate to Data collection rules
  15. Click on the DCR created in Step 6 above
  16. On the DCR Overview blade, click on JSON View
    • Save the DCR immutableId (e.g., dcr-15f5913c29774ff18b2ab926829741bf)
    • Save the streamDeclarations custom table stream name (e.g., Custom-SandflyDemoV1_CL)

NOTE: make sure you have saved the following values from this section:

  • Data Collection Rule immutable ID
  • Custom Table Stream Name

Sentinel Replication - Sandfly Server Settings

Elasticsearch Replication Settings

Sentinel Replication Settings

The Sentinel Replication tab, available via the Settings > Server Configuration menu, contains the following settings that can be edited:

  • Microsoft Sentinel Replication Enabled - Set it to true to enable access to the Sentinel Replication settings and activate the replication service.
  • Application (Client) ID- Enter the value from the Sentinel configuration steps.
  • Directory (Tenant) ID - Enter the value from the Sentinel configuration steps.
  • Logs Ingestion Endpoint URL - The replication URL of the external Sentinel server with the general format of https://<Endpoint-Name>-<Identifier>.<Region>.ingest.monitor.azure.com similar to the reference image.
  • Data Collection Rule (DCR) Immutable ID - Enter the value from the Sentinel configuration steps.
  • Custom Table Stream Name - Enter the value from the Sentinel configuration steps.
  • Set Secret (optional) - If an Application Secret Value is set, toggle the switch on and enter the value.
  • Alerts Only - Toggle whether to send only alert results or all results.

Updated about 1 month ago