Question

If you have a special security program on your own computers that needs to send its alerts to Microsoft Sentinel, but Sentinel doesn&#x27;t have a direct way to connect, what Azure tool can you use to build a custom way to get those alerts into Sentinel?

Accepted Answer

The Azure tool you can use to build a custom way to get alerts from your special security program into Microsoft Sentinel when there is no direct connector is Azure Functions. Azure Functions is a serverless compute service that allows you to run event-driven code without needing to provision or manage servers. In this scenario, your on-premises security program can be configured to send its alerts to an Azure Function via an HTTP POST request. This request acts as an HTTP trigger, which executes the Azure Function. Within the Azure Function&#x27;s code, you would parse the incoming alert data and then use the Log Analytics Data Collector API to ingest this data directly into your Microsoft Sentinel workspace. Microsoft Sentinel is a cloud-native Security Information and Event Management, or SIEM, solution that collects security data from various sources, detects threats, and helps respond to incidents, with its data stored in a Log Analytics workspace. The Log Analytics Data Collector API is an HTTP REST API provided by Azure Monitor that allows you to send custom log data to a Log Analytics workspace, which is the underlying data store for Sentinel. This method provides a highly flexible and scalable solution for custom integrations, as the Azure Function only runs when triggered by an alert, minimizing operational overhead and costs.

Home → All Courses → Engineering and Technology Courses → Microsoft Unified XDR and SIEM Solutions → Flashcard

If you have a special security program on your own computers that needs to send its alerts to Microsoft Sentinel, but Sentinel doesn't have a direct way to connect, what Azure tool can you use to build a custom way to get those alerts into Sentinel?