Sentinel Plugin Scope

This document describes the implementation of a Sentinel integration, very similar to Chainkit's Splunk integration.

Overview

Azure Sentinel is basically: Connectors+Event Collection+Analytics. It’s a drop-in Microsoft replacement for Splunk.

Product Dos and Don'ts

Sentinel isn’t meant to be opened up. It ingests data, but does not allow plug-ins to query from it. Here is what Chainkit's current product matrix for Sentinel looks like, from a very high level:

The REDs are not yet open to 3rd parties, until Microsoft change their support. YELLOW, are customization options. GREEN is supported by Chainkit today, out of the box.

For YELLOW, Chainkit uses the Activity Logs API in Azure to fetch data, as with Splunk. For closed-loop integrations, Sentinel does not yet seem to expose a Query API.

Capacity Planning Considerations:

What is your Data Source? Is it YELLOW, GREEN or RED?
How much Data per Second/Minute/Hour?

Logstash and Futures

Microsoft’s Sentinel Team published an Insider Threat update which Chainkit plans to support in a future release. But notice this important point mentioned: 🙂

Logstash: A new plug-in enables you to use Azure Sentinel as the output for Logstash, an open source data processing pipeline.

Command Line Interface

Get started with the Chainkit CLI

See it in action

Schedule demo or proof-of-concept

White Papers

Blog

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sentinel Plugin Scope

Overview

Product Dos and Don'ts

Capacity Planning Considerations:

Logstash and Futures

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally