⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Connector ID | Tenable.ad |
| Publisher | Tenable |
| Used in Solutions | TenableAD |
| Collection Method | MMA |
| Connector Definition Files | Tenable.ad.json |
Tenable.ad connector allows to export Tenable.ad Indicators of Exposures, trailflow and Indicators of Attacks logs to Azure Sentinel in real time.
It provides a data parser to manipulate the logs more easily. The different workbooks ease your Active Directory monitoring and provide different ways to visualize the data. The analytic templates allow to automate responses regarding different events, exposures, or attacks.
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
Tenable_IE_CL |
? | ✓ | ? |
Tenable_ad_CL |
? | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Resource Provider Permissions: - Workspace (Workspace): read and write permissions are required. - Keys (Workspace): read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys.
Custom Permissions: - Access to Tenable.ad Configuration: Permissions to configure syslog alerting engine
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
This data connector depends on a parser based on a Kusto Function to work as expected. Follow these steps to create the Kusto Functions alias, afad_parser
1. Configure the Syslog server
You will first need a linux Syslog server that Tenable.ad will send logs to. Typically you can run rsyslog on Ubuntu. You can then configure this server as you wish, but it is recommended to be able to output Tenable.ad logs in a separate file.
Configure rsyslog to accept logs from your Tenable.ad IP address.:
sudo -i
# Set Tenable.ad source IP address
export TENABLE_AD_IP={Enter your IP address}
# Create rsyslog configuration file
cat > /etc/rsyslog.d/80-tenable.conf << EOF
\$ModLoad imudp
\$UDPServerRun 514
\$ModLoad imtcp
\$InputTCPServerRun 514
\$AllowedSender TCP, 127.0.0.1, $TENABLE_AD_IP
\$AllowedSender UDP, 127.0.0.1, $TENABLE_AD_IP
\$template MsgTemplate,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %programname%[%procid%]:%msg%\n"
\$template remote-incoming-logs, "/var/log/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs;MsgTemplate
EOF
# Restart rsyslog
systemctl restart rsyslog
2. Install and onboard the Microsoft agent for Linux
The OMS agent will receive the Tenable.ad syslog events and publish it in Sentinel : Choose where to install the agent:
Install agent on Azure Linux Virtual Machine
Select the machine to install the agent on and then click Connect. - Install agent on Linux Virtual Machine
Install agent on a non-Azure Linux Machine
Download the agent on the relevant machine and follow the instructions. - Install agent on Linux (Non-Azure)
3. Check agent logs on the Syslog server
tail -f /var/opt/microsoft/omsagent/log/omsagent.log
4. Configure Tenable.ad to send logs to your Syslog server
On your Tenable.ad portal, go to System, Configuration and then Syslog. From there you can create a new Syslog alert toward your Syslog server.
Once this is done, check that the logs are correctly gathered on your server in a separate file (to do this, you can use the Test the configuration button in the Syslog alert configuration in Tenable.ad). If you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS.
5. Configure the custom logs
Configure the agent to collect the logs.
/var/log/Tenable.ad.log if you have a Tenable version <3.1.0, you must also add this linux file location /var/log/AlsidForAD.log.6. Enjoy !
You should now be able to receive logs in the Tenable_ad_CL table, logs data can be parse using the afad_parser() function, used by all query samples, workbooks and analytic templates.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊