Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Send Oracle Cloud Infrastructure logs to Microsoft Azure Sentinel using OCI Streaming service

Introduction

Oracle Observability and Management platform services enable customers to monitor, analyze, and manage multicloud applications and infrastructure environments with full-stack visibility, prebuilt analytics, and automation. The Oracle Cloud Infrastructure Streaming service provides a fully managed, scalable, and durable solution for ingesting and consuming high-volume data streams in real-time. Streaming data is encrypted both at rest and in transit.

Microsoft Azure Sentinel is a cloud-native security information and event management (SIEM) platform provided by Microsoft Azure. In this tutorial, we will go through the process of transferring OCI Audit logs to Microsoft Azure Sentinel using the Oracle Cloud Infrastructure Streaming (OCI Streaming) service.

Objective

Transfer OCI Audit logs to Microsoft Azure Sentinel using the OCI Streaming service.

Prerequisites

• Access to OCI tenancy
• Privileges to manage streams, logs, service connector hub in OCI
• Access to Azure tenancy
• Privileges to enable and configure Azure Sentinel

Task 1: Generate an API Signing Key on OCI

The API public/private key pair can be generated using the OCI console. If you already have a key pair, you can upload the public key.

• On the OCI landing page, navigate to Profile, User settings, API Keys, Add API Key.

• After adding the key, a configuration file preview snippet is generated. We will need these details to authenticate the Azure app to fetch messages from the OCI Stream.

Task 2: Create a Stream on OCI

1. To create a Stream, from the OCI home page, navigate to Analytics & AI, Messaging, Streaming.

2. Click Stream Pools and create a public Stream pool. For encryption, you can either use Oracle managed keys or choose a key from a vault you have access to.

   

   

3. Click Streams, Create Stream. Specify the required compartment details. Select the Stream pool that we have created in Step 2. The Stream settings can be left to use default values.

   

Task 3: Create a Service Connector Hub on OCI

The OCI Service Connector Hub helps in transferring data between services within OCI. We will create a Service Connector to transfer Audit logs from OCI Logging service to OCI Streaming.

1. Click on the Navigation menu and select Observability & Management, Logging, Service connector, Create service connector.

2. Provide the required details. The source should be “Logging” and target should be “Streaming”.

3. Select Audit for log group.

   Note: For the scope of this tutorial, we are only sending Audit logs to Sentinel. Audit logs are by default enabled in every compartment. If other OCI service logs or custom logs need to be transferred, refer to the OCI Logging documentation for the process to enable and use them.

4. You can optionally provide a log filter to send only selected log types.

5. Under configure target, select the stream we created.

6. Create the default policies that appear on the screen and click Create.

   

   

   

The service connector and stream on OCI are ready. Next we will configure Azure Sentinel to pull logs from this stream.

Task 4: Enable Microsoft Sentinel and install OCI solution from content hub

1. First step is to add Microsoft Sentinel to an existing workspace or create a new one. Refer to Sentinel quickstart documentation for prerequisites and permissions.

2. Sign in to the Azure portal.

3. Search for and select Microsoft Sentinel, Select Add, Select the workspace, Add Microsoft Sentinel.

4. In Sentinel, select Content hub. Search for Oracle Cloud Infrastructure solution and click Install.

   

Task 5: Set up the data connector: Oracle Cloud Infrastructure (using Azure Functions)

1. Once OCI solution is installed, click Manage.

2. Select the data connector Oracle Cloud Infrastructure (using Azure Functions), open connector page. Initially it shows as disconnected.

   

   

3. On the right hand side, select the Deploy to Azure button. Fill in all the details.

   • You can find Microsoft Sentinel workspace id and shared key on the data connector page. The user, fingerprint, Tenancy, region values can be fetched from OCI configuration file preview snippet.

   • Note: On the OCI console, click on the three dots to the right side of your required fingerprint to preview the corresponding configuration file snippet.

   • You can fetch the message endpoint and stream ocid, under Stream information for the Stream we created in OCI.

   • Once all details are filled, select the checkbox: I agree to the terms and conditions stated above and click Purchase to deploy.

     

4. Upon deploying, an Azure function app is automatically created. You can verify the running status of the application. The data connector shows up as “connected” after some time.

   • To view the logs, Navigate to Sentinel, Logs, Tables, Custom Tables.

   • Double-click on OCI_Logs_CL (custom table created by the Azure function app) so that the table appears on the query space. Select the “time period” and click Run. You can now view and manage the OCI logs on Sentinel.

     

Related Links

• Oracle Cloud Infrastructure Streaming

• OCI Service Connector Hub

Acknowledgments

Author - Lasya Vadavalli (Senior Cloud Engineer-IaaS)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Send Oracle Cloud Infrastructure logs to Microsoft Azure Sentinel using OCI Streaming service

F84624-01

July 2023

Copyright © 2023, Oracle and/or its affiliates.