{ "name": "microsoft_sentinel", "title": "Microsoft Sentinel", "version": "1.3.1", "release": "ga", "description": "Collect logs from Microsoft Sentinel with Elastic Agent.", "type": "integration", "download": "/epr/microsoft_sentinel/microsoft_sentinel-1.3.1.zip", "path": "/package/microsoft_sentinel/1.3.1", "icons": [ { "src": "/img/microsoft-sentinel-logo.svg", "path": "/package/microsoft_sentinel/1.3.1/img/microsoft-sentinel-logo.svg", "title": "Microsoft Sentinel logo", "size": "32x32", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.10 || ~9.1.10 || ~9.2.4 || ^9.3.0" }, "elastic": { "subscription": "basic" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "azure", "security", "siem" ], "signature_path": "/epr/microsoft_sentinel/microsoft_sentinel-1.3.1.zip.sig", "format_version": "3.3.2", "readme": "/package/microsoft_sentinel/1.3.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/microsoft_sentinel-alert-dashboard.png", "path": "/package/microsoft_sentinel/1.3.1/img/microsoft_sentinel-alert-dashboard.png", "title": "Alert Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/microsoft_sentinel-incident-dashboard.png", "path": "/package/microsoft_sentinel/1.3.1/img/microsoft_sentinel-incident-dashboard.png", "title": "Incident Dashboard", "size": "600x600", "type": "image/png" }, { "src": "/img/microsoft_sentinel-event-dashboard.png", "path": "/package/microsoft_sentinel/1.3.1/img/microsoft_sentinel-event-dashboard.png", "title": "Event Dashboard", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/microsoft_sentinel/1.3.1/LICENSE.txt", "/package/microsoft_sentinel/1.3.1/changelog.yml", "/package/microsoft_sentinel/1.3.1/manifest.yml", "/package/microsoft_sentinel/1.3.1/validation.yml", "/package/microsoft_sentinel/1.3.1/docs/README.md", "/package/microsoft_sentinel/1.3.1/img/microsoft-sentinel-logo.svg", "/package/microsoft_sentinel/1.3.1/img/microsoft_sentinel-alert-dashboard.png", "/package/microsoft_sentinel/1.3.1/img/microsoft_sentinel-event-dashboard.png", "/package/microsoft_sentinel/1.3.1/img/microsoft_sentinel-incident-dashboard.png", "/package/microsoft_sentinel/1.3.1/kibana/tags.yml", "/package/microsoft_sentinel/1.3.1/data_stream/alert/manifest.yml", "/package/microsoft_sentinel/1.3.1/data_stream/alert/sample_event.json", "/package/microsoft_sentinel/1.3.1/data_stream/event/manifest.yml", "/package/microsoft_sentinel/1.3.1/data_stream/incident/manifest.yml", "/package/microsoft_sentinel/1.3.1/data_stream/incident/sample_event.json", "/package/microsoft_sentinel/1.3.1/kibana/dashboard/microsoft_sentinel-a9a3f6fc-876c-4aa1-98f3-6d41bbb7f852.json", "/package/microsoft_sentinel/1.3.1/kibana/dashboard/microsoft_sentinel-bcfbf711-9fa2-4d98-aaec-1302e4ffd332.json", "/package/microsoft_sentinel/1.3.1/kibana/dashboard/microsoft_sentinel-c0a331fd-c7d9-452e-b5db-0f062479c779.json", "/package/microsoft_sentinel/1.3.1/data_stream/alert/fields/base-fields.yml", "/package/microsoft_sentinel/1.3.1/data_stream/alert/fields/beats.yml", "/package/microsoft_sentinel/1.3.1/data_stream/alert/fields/ecs.yml", "/package/microsoft_sentinel/1.3.1/data_stream/alert/fields/fields.yml", "/package/microsoft_sentinel/1.3.1/data_stream/event/fields/base-fields.yml", "/package/microsoft_sentinel/1.3.1/data_stream/event/fields/beats.yml", "/package/microsoft_sentinel/1.3.1/data_stream/event/fields/ecs.yml", "/package/microsoft_sentinel/1.3.1/data_stream/event/fields/fields.yml", "/package/microsoft_sentinel/1.3.1/data_stream/incident/fields/base-fields.yml", "/package/microsoft_sentinel/1.3.1/data_stream/incident/fields/beats.yml", "/package/microsoft_sentinel/1.3.1/data_stream/incident/fields/ecs.yml", "/package/microsoft_sentinel/1.3.1/data_stream/incident/fields/fields.yml", "/package/microsoft_sentinel/1.3.1/data_stream/incident/fields/is-transform-source-true.yml", "/package/microsoft_sentinel/1.3.1/elasticsearch/transform/latest_incident/manifest.yml", "/package/microsoft_sentinel/1.3.1/elasticsearch/transform/latest_incident/transform.yml", "/package/microsoft_sentinel/1.3.1/data_stream/alert/agent/stream/cel.yml.hbs", "/package/microsoft_sentinel/1.3.1/data_stream/alert/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_sentinel/1.3.1/data_stream/event/agent/stream/azure-eventhub.yml.hbs", "/package/microsoft_sentinel/1.3.1/data_stream/event/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_sentinel/1.3.1/data_stream/incident/agent/stream/cel.yml.hbs", "/package/microsoft_sentinel/1.3.1/data_stream/incident/elasticsearch/ingest_pipeline/default.yml", "/package/microsoft_sentinel/1.3.1/elasticsearch/transform/latest_incident/fields/base-fields.yml", "/package/microsoft_sentinel/1.3.1/elasticsearch/transform/latest_incident/fields/beats.yml", "/package/microsoft_sentinel/1.3.1/elasticsearch/transform/latest_incident/fields/ecs.yml", "/package/microsoft_sentinel/1.3.1/elasticsearch/transform/latest_incident/fields/fields.yml", "/package/microsoft_sentinel/1.3.1/elasticsearch/transform/latest_incident/fields/is-transform-source-false.yml" ], "policy_templates": [ { "name": "microsoft_sentinel", "title": "Microsoft Sentinel Logs", "description": "Collect logs from Microsoft Sentinel.", "inputs": [ { "type": "cel", "vars": [ { "name": "client_id", "type": "text", "title": "Client ID", "description": "The client ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "The secret related to the client ID.", "multi": false, "required": true, "show_user": true }, { "name": "login_url", "type": "text", "title": "OAuth Server URL", "description": "URL of Login Server 'tenant-id and token endpoint added automatically'.", "multi": false, "required": true, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "url", "type": "text", "title": "URL", "description": "URL of azure portal.", "multi": false, "required": true, "show_user": false, "default": "https://management.azure.com" }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "The tenant ID related to creating a new application on Azure.", "multi": false, "required": true, "show_user": true }, { "name": "resource_group_name", "type": "text", "title": "Resource Group Name", "description": "The name of the resource group.", "multi": false, "required": true, "show_user": true }, { "name": "subscription_id", "type": "text", "title": "Subscription ID", "description": "The ID of the target subscription. The value must be an UUID.", "multi": false, "required": true, "show_user": true }, { "name": "workspace_name", "type": "text", "title": "Workspace Name", "description": "The name of the workspace.", "multi": false, "required": true, "show_user": true }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect Microsoft Sentinel logs via API", "description": "Collecting Microsoft Sentinel logs via API." }, { "type": "azure-eventhub", "title": "Collect Microsoft Sentinel events via Azure Event Hub", "description": "Collect Microsoft Sentinel events via Azure Event Hub." } ], "multiple": true, "deployment_modes": { "default": { "enabled": true }, "agentless": { "enabled": true } } } ], "data_streams": [ { "type": "logs", "dataset": "microsoft_sentinel.alert", "title": "Microsoft Sentinel Alert logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Alert logs from Microsoft Sentinel API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Microsoft Sentinel API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "text", "title": "Batch Size", "description": "Batch size for the response of the Microsoft Sentinel API. The maximum supported page size value is 1000.", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_sentinel-alert" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_sentinel.alert fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Microsoft Sentinel Alert Logs", "description": "Collecting Microsoft Sentinel Alert logs via API.", "enabled": false, "ingestion_method": "API" } ], "package": "microsoft_sentinel", "path": "alert" }, { "type": "logs", "dataset": "microsoft_sentinel.event", "title": "Collect Events from Microsoft Sentinel.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "azure-eventhub", "vars": [ { "name": "eventhub", "type": "text", "title": "Azure Event Hub", "description": "Elastic recommends using one Azure Event Hub for each integration. Visit [Create an Azure Event Hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use Azure Event Hub names up to 30 characters long to avoid compatibility issues.", "multi": false, "required": true, "show_user": true }, { "name": "consumer_group", "type": "text", "title": "Consumer Group", "description": "We recommend using a dedicated consumer group for the Azure Event Hub input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events.", "multi": false, "required": true, "show_user": true, "default": "$Default" }, { "name": "auth_type", "type": "select", "title": "Authentication Type", "description": "Authentication method to use for Event Hub and Storage Account. When set to **Connection String** or left blank: **Connection String** and **Storage Account Key** are required. When set to **Client Secret**: Microsoft Entra ID client secret authentication is used, requiring **Tenant ID**, **Client ID**, **Client Secret**, and **Event Hub Namespace**. Note: The same authentication type applies to both Event Hub and Storage Account for security consistency.", "multi": false, "required": true, "show_user": true, "default": "connection_string" }, { "name": "connection_string", "type": "password", "title": "Connection String", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The connection string required to communicate with Event Hubs. See [Get an Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account_key", "type": "password", "title": "Storage Account Key", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The storage account key used to authorize access to data in your storage account. Not used when **Authentication Type** is **Client Secret**; client secret authentication is used for storage instead.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account", "type": "text", "title": "Storage Account", "description": "The name of the storage account where the consumer group's state/offsets will be stored and updated.", "multi": false, "required": true, "show_user": true }, { "name": "eventhub_namespace", "type": "text", "title": "Event Hub Namespace", "description": "(Required when **Authentication Type** is **Client Secret**) Fully qualified Event Hub namespace (e.g., namespace.servicebus.windows.net). Do not use the short namespace name; use the complete FQDN.", "multi": false, "required": false, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID tenant ID. This is the directory/tenant where your Microsoft Entra ID application is registered.", "multi": false, "required": false, "show_user": true }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application (client) ID. The service principal must have 'Azure Event Hubs Data Receiver' role on the Event Hub and 'Storage Blob Data Contributor' role on the Storage Account.", "multi": false, "required": false, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application client secret. Generate this secret in your Microsoft Entra ID app registration.", "multi": false, "required": false, "show_user": true }, { "name": "authority_host", "type": "text", "title": "Authority Host", "description": "(Optional when **Authentication Type** is **Client Secret**) Microsoft Entra ID authority endpoint. Defaults to https://login.microsoftonline.com (Azure Public Cloud). Change for other Azure environments: Azure Government (https://login.microsoftonline.us), Azure China (https://login.chinacloudapi.cn), or Azure Germany (https://login.microsoftonline.de).", "multi": false, "required": false, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You must use a dedicated storage account container for each Azure log type. Do not reuse the same container name for more than one Azure log type. See [Container Names] (Naming and Referencing Containers, Blobs, and Metadata - Azure Storage) for details on naming rules from Microsoft. The integration generates a default container name if not specified.", "multi": false, "required": false, "show_user": false }, { "name": "resource_manager_endpoint", "type": "text", "title": "Resource Manager Endpoint", "description": "By default, we are using the Azure public environment. To override this, users can provide a specific resource manager endpoint in order to use a different Azure environment.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_sentinel-event" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserve a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_sentinel.event fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "Microsoft Sentinel Events", "description": "Collecting Events from Microsoft Sentinel via Azure Event Hub.", "enabled": false, "ingestion_method": "Azure Event Hub" } ], "package": "microsoft_sentinel", "path": "event" }, { "type": "logs", "dataset": "microsoft_sentinel.incident", "title": "Microsoft Sentinel Incident logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "How far back to pull the Incident logs from Microsoft Sentinel API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the Microsoft Sentinel API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "5m" }, { "name": "batch_size", "type": "text", "title": "Batch Size", "description": "Batch size for the response of the Microsoft Sentinel API. The maximum supported page size value is 1000.", "multi": false, "required": true, "show_user": false, "default": 1000 }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.", "multi": false, "required": true, "show_user": false, "default": "30s" }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "microsoft_sentinel-incident" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve microsoft_sentinel.incident fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "cel.yml.hbs", "title": "Microsoft Sentinel Incident Logs", "description": "Collecting Microsoft Sentinel Incident logs via API.", "enabled": false, "ingestion_method": "API" } ], "package": "microsoft_sentinel", "path": "incident" } ] }