{
"TimeGenerated": "2024-09-03T10:56:58.5010069Z", (1)
"msg": { (2)
"id": "1abe30d1-fa3a-xxxx-xxxx-781f0a12228a", (3)
"policy" : {}
}
}
×
Integrating with Microsoft Sentinel notifier
Microsoft Sentinel is a security information and event management (SIEM) solution which acts on Red Hat Advanced Cluster Security for Kubernetes (RHACS) alerts and audit logs.
Viewing the log analytics to detect threats
By creating a Microsoft Sentinel integration, you can view the log analytics to detect threats.
Prerequisites
-
You have created a data collection rule, log analytics workspace, and service principal on Microsoft Azure.
-
You have configured a client secret or client certificate at the service principal for authentication.
-
You have created a log analytics schema by using the
TimeGeneratedandmsgfields in JSON format.You need to create separate log analytics tables for audit logs and alerts, and both data sources use the same schema.
-
To create a schema, upload the following content to Microsoft Sentinel:
Example JSON1 The timestamp for the alert. 2 Contains the message details. 3 The payload of the message, either alert or audit log.
-
Procedure
-
In the RHACS portal, click Platform Configuration → Integrations.
-
Scroll down to the Notifier Integrations section, and then click Microsoft Sentinel.
-
To create a new integration, click New integration.
-
In the Create integration page, provide the following information:
-
Integration name: Specify a name for the integration.
-
Log ingestion endpoint: Enter the data collection endpoint. You can find the endpoint in the Microsoft Azure portal.
For more information, see Data collection rules (DCRs) in Azure Monitor (Microsoft Azure documentation).
-
Directory tenant ID: Enter the tenant ID which uniquely identifies your Azure Active Directory (AAD) within the Microsoft cloud infrastructure. You can find the tenant ID in the Microsoft Azure portal.
For more information, see Find tenant name and tenant ID in Azure Active Directory B2C (Microsoft Azure documentation).
-
Application client ID: Enter the client ID which uniquely identifies the specific application registered within your AAD that needs access to resources. You can find the client ID in the Microsoft Entra portal for the service principal you have created.
For more information, see Register applications (Microsoft Azure documentation).
-
Choose the appropriate authentication method:
-
If you want to use a secret, enter the secret value. You can find the secret in the Microsoft Azure portal.
-
If you want to use a client certificate, enter the client certificate and private key. You can find the certificate ID and private key in the Microsoft Azure portal.
For more information, see The new App registrations experience for Azure Active Directory B2C (Microsoft Azure documentation).
-
-
Optional: Choose the appropriate method to configure the data collection rule configuration:
-
Select the Enable alert DCR checkbox, if you want to enable the alert data collection rule configuration.
To create an alert data collection rule, enter the alert data collection rule stream name and ID. You can find the stream name and ID in the Microsoft Azure portal.
-
Select the Enable audit log DCR checkbox, if you want to enable audit data collection rule configuration.
To create an audit data collection rule, enter the stream name and ID. You can find the stream name and ID in the Microsoft Azure portal.
For more information, see Data collection rules (DCRs) in Azure Monitor (Microsoft Azure documentation).
-
-
-
Optional: To test the new integration, click Test.
-
To save the new integration, click Save.
Verification
-
In the RHACS portal, click Platform Configuration → Integrations.
-
Scroll down to the Notifier Integrations section, and then click Microsoft Sentinel.
-
In the Integrations Microsoft Sentinel page, verify that the new integration has been created.
-
Verify that the messages receive the correct log tables in your log analytics workspace.