Send Events to Microsoft Sentinel SIEM
Configure Agilicus AnyX to send events to Microsoft Sentinel.
Example: Send Events to Microsoft Sentinel
Agilicus AnyX supports sending auditing information to external systems. Configuring Microsoft Sentinel as one of those destinations is fairly straightforward. AnyX integrates with Sentinel using a Microsoft Codeless Connector Framework Push connector, which sets up an endpoint capable of ingesting events in your Sentinel workspace.
In this example, we will show how to deploy one of these connectors in Sentinel, and how to configure AnyX to send to it. You will deploy a template in Azure, and configure a destination in your admin portal.
Deploying in Azure
Log in to Azure, then open the template by clicking this link. Azure will fetch the deployment template from Agilicus. Follow these instructions to fill it in to create the connector in your workspace.
The deployment link will send you to the “Custom deployment” page in Azure. Choose the resource group in which you have your Sentinel workspace. Fill in the location you want the Push connector to run — ideally somewhere central to your AnyX connectors, and set the workspace to the name of the Sentinel workspace.
Click Review + Create to review the deployment, then create it. You will be moved to this page, which summarises the deployment.
Now navigate to your Sentinel instance, then to Configuration-> Data connectors. Hit Refresh if the Agilicus Anyx (Push) is not yet there. Click on it, then click “Open connector page”.
From there, click “Deploy AnyX Push connector resources”. Click OK if it prompts about creating non-existent resources.
Once the deploy has finished, you will be provided with some information you will need to use to configure AnyX. Be sure to copy down the fields it provides, particularly the client secret; it will be removed if you navigate away. If need be, you can create a new one in the credentials section of the Application Registration created when the connector is deployed. It will be called “Agilicus AnyX Push Connector”.
Navigate to your AnyX admin portal, then to Organisation -> Audit Destinations.
Click “Add Destination”
Set the following parameters:
- name: ms-sentinel
- type: webhook
- Location: <Audit Destination Location from Azure>
- Authentication Type: OAuth2
Check off the types of logs you want to send.
Next, click Actions->Manage Credentials on the new destination.
Enter the following information, then click Save.
- Password: <Audit Destination Client Secret from Azure>
- Token URL: <Audit Destination Token URL from Azure>
- Scopes: <Audit Destination Scopes from Azure>
AnyX will start publishing records to Sentinel in a few minutes. To test connectivity, first generate some activity by accessing an AnyX resource such as a share. Then, Navigate to the “log analytics” link from the newly deployed connector in Azure.
To view details, click the + beside the “New Query” tab to open a new query. Select “KQL mode” instead of simple mode then enter the following query and run it:
AgilicusUnifiedEvents_CL
This shows you all the events coming from Agilicus. To see only access logs, run
AgilicusUnifiedEvents_CL
| where LogType == "access"
To see only authorization logs, run
AgilicusUnifiedEvents_CL
| where LogType == "authorization"
To see only unstructured logs, run
AgilicusUnifiedEvents_CL
| where LogType == "logs"