Skip to content
/ audit-logs-connector-for-azure-sentinel Public

Connector to ingest Airtable Audit Logs into Microsoft Azure Sentinel (SIEM)

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Airtable-Labs/audit-logs-connector-for-azure-sentinel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
Azure_Sentinel_Codeless_Connector.json
Azure_Sentinel_Codeless_Connector.json
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
config_screenshot.png
config_screenshot.png
 
 

Repository files navigation

Azure Sentinel Connector for Airtable Audit Logs

This repository contains an example Microsoft Sentinel codeless connector (Azure_Sentinel_Codeless_Connector.json) to help you continuously ingest Airtable Audit Logs into the Microsoft Sentinel ecosystem without needing to write code or host additional infrastructure.

The software made available from this repository is not supported by Formagrid Inc (Airtable) or part of the Airtable Service. It is made available on an "as is" basis and provided without express or implied warranties of any kind.

Overview of Sentinel Codeless Connectors

Microsoft Sentinel has several options for creating custom connectors. Codeless Connectors are "best for less technical audiences to create SaaS connectors using a configuration file instead of advanced development" and have the benefit of not requiring any infrastructure: Microsoft Sentinel will use the configuration to poll the specified API for you.

While codeless connectors do not have code, the configuration is in JSON format and requires familiarity with HTTP-based APIs and pagination. The example file in this repository is preconfigured to work with Airtable's Audit Logs API based on Microsoft's instructions on how to create a codeless connector.

About this Codeless Connector for Airtable Audit Logs

The codeless connector example in this repository, Azure_Sentinel_Codeless_Connector.json, is configured to:

  • Poll the Airtable Audit Logs event retrieval endpoint every 5 minutes and request up to 100 events per page. If there is another page of results available, the connector will automatically retrieve the next page of events.
  • Retrieve events across all event types (you can find a list with their definitions here). When Airtable adds new event types to the list, they will automatically be included.
  • Add audit log events from Airtable to the AirtableAuditLogs_CL table. If the table does not yet exist, the codeless connector will create it.

Setup / deploy

To setup this codeless connector in your Azure environment, follow Microsoft's deployment steps with the following guidance:

  • For step 1: Use Azure_Sentinel_Codeless_Connector.json as the custom ARM template for your custom deployment in the Azure console.
  • For step 2: The configuration wizard will ask you for your Airtable Enterprise Account ID and API key (screenshot below).
    • Airtable Enterprise Account ID: This ID starts with the letters "ent" and can be found in the left-hand sidebar of your Enterprise Admin console.
    • API key: We recommended you use a personal access token belonging to a service account. The service account will need to be made an admin for your enterprise account and the personal access token will need to have the enterprise.auditLogs:read scope.
  • For step 3: In testing, we have found it takes 20 to 30 minutes for an Azure codeless connector to begin retrieving logs. After this period, you should see a new AirtableAuditLogs_CL table in your Sentinel log explorer.

Configuration screenshot (step 2)

Microsoft Sentinel codeless connector for Airtable screenshot

About

Connector to ingest Airtable Audit Logs into Microsoft Azure Sentinel (SIEM)

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published