INTEGRATIONS

Sentinel Integration

9 min

this guide replaces the previous azure sentinel integration the new codeless connector framework (ccf) integration offers a streamlined, "click to deploy" experience available directly within the microsoft sentinel content hub this update significantly reduces the manual configuration required to ingest flare events into azure the ccf enables partners and developers to create robust, custom connectors for seamless data ingestion into microsoft sentinel please note, if you currently are using the flare connector this will create a second table within sentinel it is recommended to sunset the older connector and migrate to this one azure sentinel setup install flare via the content hub the first step is to install the flare solution and deploy the codeless connector this connector automatically receives flare events and transforms them into queryable logs within sentinel navigate to microsoft sentinel > content management > content hub search for “flare” in the search bar select the flare solution and click install deployment typically takes a few seconds once installed, click manage select flare push connector and click open connector page deploy custom resources on the connector page, select deploy custom resources and accept the confirmation prompt once the deployment is complete, several configuration fields will automatically be populated keep this page open , as you will need these values to link flare to azure sentinel flare setup setup the integration channel in the flare platform, navigate to configure > integrations and select create channel in the modal, select azure sentinel from the dropdown menu copy the values from the sentinel connector page into into the corresponding fields verify and finalize press test channel to verify the connection once the test is successful, click create channel to finalize the integration flare solution features the flare solution includes pre packaged analytic rules and workbooks to help you monitor and visualize your data they must be manually deployed through azure sentinel note on initial setup analytic rules and workbooks will likely display error messages until the connector receives its first set of data these components will remain inactive on fresh instances until data ingestion begins analytic rules analytic rules enable automated alerting based on kusto query language (kql) these rules help you identify specific security threats as they appear in your logs they can be configured from azure sentinel > configuration > analytics > rules templates workbooks workbooks provide interactive data visualizations for flare events directly within the sentinel dashboard they are located in azure sentinel > threat management > workbooks > templates flare includes three basic workbooks firework logs by risk score, sources of all documents collected and total leaked credentials received firework logs by risk score this chart displays log activity sourced from flare over the past 30 days, broken down by risk score level each line represents a distinct risk score category sources of all document collected this section displays the origin of all threat intelligence documents ingested over the past 30 days, broken down by source total leaked credentials received this section is deprecated and will be removed in the next release it displays a time series of credential leak events flare solution schema to understand how flare data is structured or to build your own custom queries, you can inspect the data model using the following kql command in the logs interface accessible under azure sentinel > logs fireworkv2 cl \| getschema for reference, here is the latest schema true 220,220,221left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type left unhandled content type left unhandled content type left rgb(243, 243, 243) unhandled content type