[Recommended] Vectra AI Stream via AMA
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Connector ID | VectraStreamAma |
| Publisher | Vectra AI |
| Used in Solutions | Vectra AI Stream |
| Collection Method | AMA |
| Connector Definition Files | template_VectraStreamAma.json |
The Vectra AI Stream connector allows to send Network Metadata collected by Vectra Sensors accross the Network and Cloud to Microsoft Sentinel
Tables Ingested
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
vectra_beacon_CL |
? | ✓ | ? |
vectra_dcerpc_CL |
? | ✓ | ? |
vectra_dhcp_CL |
? | ✓ | ? |
vectra_dns_CL |
? | ✓ | ? |
vectra_http_CL |
? | ✓ | ? |
vectra_isession_CL |
? | ✓ | ? |
vectra_kerberos_CL |
? | ✓ | ? |
vectra_ldap_CL |
? | ✓ | ? |
vectra_ntlm_CL |
? | ✓ | ? |
vectra_radius_CL |
? | ✓ | ? |
vectra_rdp_CL |
? | ✓ | ? |
vectra_smbfiles_CL |
? | ✓ | ? |
vectra_smbmapping_CL |
? | ✓ | ? |
vectra_smtp_CL |
? | ✓ | ? |
vectra_ssh_CL |
? | ✓ | ? |
vectra_ssl_CL |
? | ✓ | ? |
vectra_x509_CL |
? | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Permissions
Resource Provider Permissions: - Workspace (Workspace): read and write permissions are required. - Keys (Workspace): read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys.
Custom Permissions: - Vectra AI Stream configuration: must be configured to export Stream metadata in JSON
Setup Instructions
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
NOTE: This data connector depends on parsers based on a Kusto Function to work as expected which are deployed as part of the Microsoft Sentinel Solution.
IMPORTANT: Vectra AI Stream connector is only available for Linux agents with syslog-ng. Make sure that syslog-ng is installed!
In the first part, we are going to create the custom tables requires for this solution (using an ARM template). Then we are going to configure the Data Connector. Please proceed with these steps:
Step 1. Create custom tables in Log Analytic Workspace (ARM Template)
-
Click the Deploy to Azure button below.
2. Provide the required details such as the resource group and Microsoft Log Analytics Workspace (the workspace must exist!) 4. Click Review + Create to deploy.
Note: Once deployed, you must be able to see the custom tables in your Log Analytic Workspace (Settings ---> Tables).
Step 2. Install the Syslog via AMA Data connector
Note: This is only required if it has not been install yet in Microsoft Sentinel. 1. Microsoft Sentinel workspace ---> Content Management ---> Content Hub.
-
Search for 'Syslog' (Provider is Microsoft) and select it.
-
Check 'Install' buton on the bottom of the right panel.
Step 3. Configure the Syslog via AMA data connector
Note: Two different Data Collection Rules (DCR) are going to be created during this step 1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector.
-
Search for 'Syslog via AMA' data connector and open it.
-
Check If there is no existing DCR configured to collect required facility of logs: LOG_USER/LOG_NOTICE and LOG_LOCAL0/LOG_NOTICE.
-
Create a first DCR (Data Collection Rule). Specify a name. Then, in the Resources tab, select the instance where AMA is going to run. In the Collect tab, select LOG_USER/LOG_NOTICE.
-
Create a second DCR. Specify a different name. Then, in the Resources tab, choose the same host. In the Collect tab, select LOG_LOCAL0/LOG_NOTICE
Note:- It is recommended to install minimum 1.27 version of AMA agent Learn more and ensure there is no duplicate DCR as it can cause log duplicacy.
In the next section, we are goning to modify the syslog-ng configuration that has been created where the AMA is deployed. Then, we are going to modify the DCR configuration to be able to sent the network metadata from Vectra Stream to different custom tables. Please proceed with these steps:
Step 1. Modify the syslog-ng configuration
Note: A DCR cannot have more than 10 output flows. As we have 16 custom tables in this solution, we need to split the traffic to two DCR using syslog-ng. 1. Download the modified syslog-ng configuration file: azuremonitoragent-tcp.conf. 2. Log into the instance where syslog-ng/AMA is running. 3. Browse to /etc/syslog-ng/conf.d/ and replace the content of azuremonitoragent-tcp.conf file with the one that you just downloaded. 4. Save and restart syslog-ng (systemctl restart syslog-ng).
Step 2. Modify the Data Collection rules configuration
Note: The Data Collection Rules that have been created are located in Azure Monitor (Monitor ---> Settings ---> Data Collection Rules)
1. Locate the 2 DCR that you created in Microsoft Sentinel.
2. Open the first DCR where Syslog facility is LOG_USER. Then go to Automation ---> Export template ---> Deploy --> Edit template.
3. Download the dataFlows configuration for LOG_USER DCR: Stream_DataFlows_dcr1.json and find/replace the destination placeholder '
2. Configure Vectra AI Stream
Configure Vectra AI Brain to forward Stream metadata in JSON format to your Microsoft Sentinel workspace via AMA.
From the Vectra UI, navigate to Settings > Stream and Edit the destination configuration:
- Select Publisher: RAW JSON
- Set the server IP or hostname (which is the host whhere AMA is running)
- Set all the port to 514.
- Save.
3. Run the following command to validate (or set up) that syslog-ng is listening on port 514
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊