Azure Sentinel Integration

you can send your flare alerts directly to your azure sentinel instance here's how to configure flare and receive data in your sentinel workspace note this documentation simplifies these steps from microsoft documentation https //learn microsoft com/en us/azure/azure monitor/logs/tutorial logs ingestion portal https //learn microsoft com/en us/azure/azure monitor/logs/tutorial logs ingestion portal entra id setup app registration the first step is to create an app registration this is used to authenticate against the sentinel api using the client credential grant flow scheme you can use the current app registration setup with flare for this step if you are skip to step 3 create a new app registration, give it a name, a uri is not required write down the application and tenant id under manage, select certificates & secrets and then new client secret note the secret value log analytics workspace within the log analytics workspace, we need to create a new table and add the associated schema to properly parse flare events go to the log analytic workspace associated with your sentinel instance select table, and create new custom log (direct ingestion) add a name, leave table plan as analytics, create a new data ingestion rule, and finally select the appropriate data collection endpoint under schema upload the following schema \[ { "timestamp" "2023 12 01t10 30 00z", "event type" "leak", "source" "test source", "id" "test id", "event title" "test title", "content preview" \[ "test content preview", "patate" ], "highlights" "{\\"description\\" \[\\"test highlight\\"]}", "risk" { "score" 3 }, "tags" \[], "uid" "leak/test source/test id", "source name" "test source", "external url" "https //example com", "identifiers" \[ { "id" 1, "name" "test identifier", "group" { "name" "test group" }, "type" "domain" } ], "actor" "test actor" }, { "timestamp" "2023 12 01t10 30 00z", "event type" "leak", "source" "test source", "id" "test id", "event title" "test title", "content preview" \[ "test content preview", "patate" ], "highlights" "{\\"content\\" \[\\"another\\", \\"highlight\\"]}", "risk" { "score" 3 }, "tags" \[], "uid" "leak/test source/test id", "source name" "test source", "external url" "https //example com", "identifiers" \[ { "id" 1, "name" "test identifier", "group" { "name" "test group" }, "type" "domain" } ], "actor" "test actor" } ] select transformation editor and enter the following command and press apply source | extend timegenerated = todatetime(timestamp) finish the creation of the table take note of the table name ( cl is appended to the name) and the associated data collection rule id (it starts with dcr) please note it could take up to 1 hour for the table to appear in sentinel craft the associated url to input to flare with the following format \<data collection endpoint>/datacollectionrules/\<data collection rule id>/streams/custom \<table name>?api version=2023 01 01 assign permissions to data collection rule select the data collection rule that was just created, press the three dots and then access control (iam) add a role assignment select monitoring metrics publisher and then next under members, add the application that was created in a previous step and press review and assign flare setup alerts page ensure all entra id steps have been completed within the alerts page select create channel enter a name and under type select azure sentinel from here fill out the information you noted during the entra id setup press test channel to confirm everything is working accordingly finalize the configuration by selecting create channel