TELEMETRY PIPELINE
Azure Sentinel

Azure Sentinel destination plugin

The Azure Sentinel destination plugin lets you configure Chronosphere Telemetry Pipeline to send security-related logs and events to Azure Sentinel.

Supported telemetry types

This plugin supports these telemetry types:

LogsMetricsTraces

Configuration parameters

Use the parameters in this section to configure your plugin. The Telemetry Pipeline web interface uses the values in the Name column to describe the parameters. Items in the Key column are the YAML keys to use in pipeline configuration files.

Required

NameKeyDescriptionDefault
Customer / Workspace IDcustomer_idRequired. Customer ID or WorkspaceID string.none
Client Authentication Keyshared_keyRequired. The primary or the secondary Connected Sources client authentication key.none

Advanced

NameKeyDescriptionDefault
Event Type Namelog_typeThe name of the event type.fluentbit
Time Keytime_keyOptional parameter to specify the key name where the timestamp is stored.@timestamp
Enable Time Generatedtime_generatedIf true, the HTTP request header time-generated-field is included so Azure can override the timestamp with the key specified by the time_key option. Accepted values: true, false.false

Security and TLS

NameKeyDescriptionDefault
TLStlsEnable or disable TLS/SSL support. Accepted values: true, false.false
TLS Certificate Validationtls.verifyEnable or disable TLS/SSL certificate validation. TLS must be enabled for certificates to be validated. Accepted values: off, on.on
TLS Debug Leveltls.debugSet TLS debug verbosity level. Accepted values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational), 4 (Verbose).1
CA Certificate File Pathtls.ca_fileAbsolute path to CA certificate file.none
Certificate File Pathtls.crt_fileAbsolute path to certificate file.none
Private Key File Pathtls.key_fileAbsolute path to private key file.none
Private Key Path Passwordtls.key_passwdPassword for private key file.none
TLS SNI Hostname Extensiontls.vhostHostname to be used for TLS SNI extension.none

Advanced Networking

NameKeyDescriptionDefault
DNS Modenet.dns.modeSelect the primary DNS connection type, which can be TCP or UDP.none
DNS Resolvernet.dns.resolverSelect the primary DNS connection type, which can be LEGACY or ASYNC.none
Prefer IPv4net.dns.prefer_ipv4Prioritize IPv4 DNS results when trying to establish a connection. Accepted values: true, false.false
Keepalivenet.keepaliveEnable or disable Keepalive support. Accepted values: true, false.true
Keepalive Idle Timeoutnet.keepalive_idle_timeoutSet maximum time allowed for an idle Keepalive connection.30s
Max Connect Timeoutnet.connect_timeoutSet maximum time allowed to establish a connection, which includes the TLS handshake.10s
Max Connect Timeout Log Errornet.connect_timeout_log_errorOn connection timeout, specify if it should log an error. When disabled, the timeout is logged as a debug message. Accepted values: true, false.true
Max Keepalive Recyclenet.keepalive_max_recycleSet maximum number of times a keepalive connection can be used before it's retired.2000
Source Addressnet.source_addressSpecify network address to bind for data traffic.none