Elastic Agent (Standalone) connector for Microsoft Sentinel

The Elastic Agent data connector provides the capability to ingest Elastic Agent logs, metrics, and security data into Microsoft Sentinel.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) ElasticAgentLogs_CL
Data collection rules support Not currently supported
Supported by Microsoft Corporation

Query samples

Top 10 Devices

ElasticAgentEvent

| summarize count() by DvcIpAddr

| top 10 by count_

Prerequisites

To integrate with Elastic Agent (Standalone) make sure you have:

  • Include custom pre-requisites if the connectivity requires - else delete customs: Description for any custom pre-requisite

Vendor installation instructions

Note

This data connector depends on a parser based on a Kusto Function to work as expected ElasticAgentEvent which is deployed with the Microsoft Sentinel Solution.

Note

This data connector has been developed using Elastic Agent 7.14.

  1. Install and onboard the agent for Linux or Windows

Install the agent on the Server where the Elastic Agent logs are forwarded.

Logs from Elastic Agents deployed on Linux or Windows servers are collected by Linux or Windows agents.

  1. Configure Elastic Agent (Standalone)

Follow the instructions to configure Elastic Agent to output to Logstash

  1. Configure Logstash to use Microsoft Logstash Output Plugin

Follow the steps to configure Logstash to use microsoft-logstash-output-azure-loganalytics plugin:

3.1) Check if the plugin is already installed:

./logstash-plugin list | grep 'azure-loganalytics' (if the plugin is installed go to step 3.3)

3.2) Install plugin:

./logstash-plugin install microsoft-logstash-output-azure-loganalytics

3.3) Configure Logstash to use the plugin

  1. Validate log ingestion

Follow the instructions to validate your connectivity:

Open Log Analytics to check if the logs are received using custom table specified in step 3.3 (e.g. ElasticAgentLogs_CL).

It may take about 30 minutes until the connection streams data to your workspace.