Integrate with Microsoft Sentinel
In this topic, you will learn how to send Portnox™ Cloud alerts to the Microsoft Sentinel SIEM solution.
Create a Linux proxy virtual machine
The Microsoft Sentinel architecture needs a script running on a Linux machine, which collects alert data from Portnox™ Cloud and sends that data to Microsoft Sentinel. In this section, you will learn how to create and configure such a virtual machine in Microsoft Azure.
- Open the Azure Portal dashboard in your browser.
-
In the Azure services menu on your dashboard, click on the Create a
Resource option.
-
In the Marketplace pane, in the Search the Marketplace field, type
virtual machine and press the ↩ key. In the
Virtual machine tile below, click on the Create button and select
the Virtual machine option from the context menu.
-
In the Create a virtual machine pane, enter the details for your virtual machine and then
click on the Create button to create it.
Note: Select one of the available Linux images, for example, Ubuntu Server 20.04 LTS - x64 Gen2 and its parameters according to your business, access, and security needs. Since the parameters of the virtual machine greatly depend on your specific environment and needs, the guidance on these parameters is beyond the scope of this guide and you should treat the example below as a lab environment only.
-
In the virtual machine pane, note down the public IP assigned to this machine.
You will need this public IP to configure Portnox Cloud to send alerts to the virtual machine.
-
Create a port rule to open port 514.
This is the standard port number used by the Sentinel collector script running on the Linux virtual machine to collect alerts from external sources such as Portnox Cloud. The virtual machine must be able to accept information from Portnox Cloud on this port.
-
Prepare the virtual machine for Microsoft Sentinel.
Configure Microsoft Sentinel
In this section, you will learn how to add a connector to Microsoft Sentinel, which collects alert information from the Linux virtual machine.
-
In the Azure Portal dashboard, in the Search resources, services, and docs field, type
sentinel and then click on the Microsoft Sentinel option
below.
-
In the Microsoft Sentinel pane, select your Sentinel workspace.
Note: We assume that you already have a Sentinel workspace that you want to integrate with Portnox Cloud. If not, please follow Microsoft documentation to create a new Sentinel workspace.
-
In the left-hand side menu of your Sentinel workspace pane, click on the Data connectors
option.
-
In the Data connectors pane, in the Getting started section, click on
the Go to content hub button.
Note: If you already have other connectors in your workspace, the Getting started section is not visible. Then, click on the More content at Content hub link on the right-hand side of the top bar.
-
In the Content hub pane, in the Search field, type common
event format, activate the checkbox next to the Common Event Format entry,
and then click on the Install button.
-
Refresh your Sentinel workspace pane, click on the ... link next to the Common
Event Format (CEF) via Legacy Agent entry, and then click on the Open connector
page button.
-
In the Common Event Format (CEF) via Legacy Agent pane, scroll down to section 1.2 of the
instructions and click on the ⧉ icon to copy the command to install the CEF
collector.
- Paste and run the command in the SSH window that you opened in the previous section of this topic.
-
In the Common Event Format (CEF) via Legacy Agent pane, scroll down to section 3.0 of the
instructions and click on the ⧉ icon to copy the command to validate the
connection between the CEF collector and Sentinel.
- Paste and run the command in the SSH window that you opened in the previous section of this topic. Then, close the SSH connection.
Configure Portnox Cloud
In this section, you will learn how to configure Portnox™ Cloud to send alert data to the Linux virtual machine so that the data can be collected by Microsoft Sentinel.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand menu, click on the
option.
-
Create a new SIEM integration with Microsoft Sentinel via the virtual machine proxy.
- Optional:
To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.
Note: To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.
You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Activity log switch, and click on the Save button.
, activate the
Result: Microsoft Sentinel is receiving alerts from Portnox Cloud.
You can confirm that in the Data section in the Microsoft Sentinel Overview pane.