Cohesity
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Connector ID | CohesityDataConnector |
| Publisher | Cohesity |
| Used in Solutions | CohesitySecurity |
| Collection Method | Azure Function |
| Connector Definition Files | Cohesity_API_FunctionApp.json |
| Ingestion API | HTTP Data Collector API — Connector definition requires workspace key (SharedKey pattern) |
The Cohesity function apps provide the ability to ingest Cohesity Datahawk ransomware alerts into Microsoft Sentinel.
Tables Ingested
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
Cohesity_CL |
? | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Permissions
Resource Provider Permissions: - Workspace (Workspace): read and write permissions on the workspace are required. - Keys (Workspace): read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys.
Custom Permissions: - Microsoft.Web/sites permissions: Read and write permissions to Azure Functions to create a Function App is required. See the documentation to learn more about Azure Functions. - Azure Blob Storage connection string and container name: Azure Blob Storage connection string and container name
Setup Instructions
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
NOTE: This connector uses Azure Functions that connect to the Azure Blob Storage and KeyVault. This might result in additional costs. Check the Azure Functions pricing page, Azure Blob Storage pricing page and Azure KeyVault pricing page for details.
(Optional Step) Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.
STEP 1 - Get a Cohesity DataHawk API key (see troubleshooting instruction 1)
STEP 2 - Register Azure app (link) and save Application (client) ID, Directory (tenant) ID, and Secret Value (instructions). Grant it Azure Storage (user_impersonation) permission. Also, assign the 'Microsoft Sentinel Contributor' role to the application in the appropriate subscription.
STEP 3 - Deploy the connector and the associated Azure Functions.
4. Azure Resource Manager (ARM) Template
Use this method for automated deployment of the Cohesity data connector using an ARM Template.
-
Click the Deploy to Azure button below.
2. Select the preferred Subscription, Resource Group and Location. 3. Enter the parameters that you created at the previous steps 4. Mark the checkbox labeled I agree to the terms and conditions stated above. 5. Click Purchase to deploy.
Additional Documentation
📄 Source: CohesitySecurity\Data Connectors\Helios2Sentinel\readme.md
Azure Functions
This solution uses Microsoft Azure functions requires to receive alerts and create Microsoft Sentinel incidents. You have to deploy the Azure functions. Before deployment, please make sure that all prerequisites are done correctly.
Prerequisites
- (Recommendation) Get access to Visual Studio or Visual Studio Code in case later you decide to change the code for your environment.
- Install dotnet core.
- Install azure-cli.
- Install azure-functions-core-tools.
Deployment
Click on the "Deploy to Azure" button to deploy the Azure functions. This step directs you to deploy an ARM Template wizard.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊