SenseOn Data Connectors
Add-on: Data Connectors are available if you have purchased a SenseOn for Cloud Add-on. Please speak to your customer success manager for access.
Data Connectors enable SenseOn XDR
SenseOn XDR correlates endpoint, network and user data collected through the Universal Sensor with activity and alerts from across your enterprise technology stack.
Our Data Connectors facilitate the ingestion of telemetry and alerts from your enterprise technology in order to:
- Simplify your security operations by consolidating threat detection and response across multiple data sources (endpoints, network, identity providers, cloud SaaS platforms etc.)
- Protect against threats which would otherwise be difficult to detect with siloed tools
- SenseOn's AI Triangulation correlates an attacker's actions into attack paths, managed and responded to easily through Cases
Available Connectors
Need more? Have a specific connector in mind we currently don't support? let us know! Contact [email protected] or [email protected]
If the integration sends log sources through a cloud feed, and we support its connector natively, you can configure the connection to the other platform using SenseOn's Data Connectors
There are two types of data connectors:
Telemetry Connector
- Ingests real-time activity data (e.g. user actions, system changes) generated by connected external platforms
- Our security experts build custom detections using telemetry, providing you with a wider coverage of threat types and techniques than you'd otherwise get with the default security alerts from the external platform/service
- Detections generated using telemetry form observations, which can be added to cases if correlated by SenseOn's AI Triangulation
Alert Connector
- Ingests security events that are automatically generated by the external platform being connected to
- Security alerts form observations, which can be added to cases if correlated by SenseOn's AI Triangulation
Data Connector | Type | Description | HuntLab Table |
---|---|---|---|
M365 Security Alerts | Alert | These are security alerts automatically generated from services that are either part of or integrated with Microsoft 365 Defender. They return rich, valuable clues about a completed or ongoing attack and the impacted assets. Microsoft Reference |
cloud_ms_graph_alert |
Entra ID User Sign-in Logs (formerly Azure Active Directory Sign In logs) | Telemetry | These logs provide information about when and how users access their Microsoft Entra account (formerly Azure) services. Microsoft Reference |
cloud_ms_sign_in_log |
Entra ID Audit Logs (formerly Azure Active Directory Audit logs) | Telemetry | These logs contain information corresponding to changes to applications, groups, users, and licences. Microsoft Reference |
cloud_ms_directory_audit_log |
Office 365 Management Activity | Telemetry | The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Office 365. Microsoft Reference |
cloud_ms_o365_activity_log |
Google Workspace Alerts | Alert | These are security alerts automatically generated for a Google Workspace domain. Google Reference |
cloud_google_workspace_alert |
GCP Security Command Center Alerts | Alert | These are security findings (alerts) automatically generated for a GCP environment through the Security Command Center. They surface detected threats such as compromised identities (meshing with IAM), data exfiltration, and misconfigurations. Google Reference |
cloud_gcp_security_finding |
AWS Security Hub Alerts | Alert | These are security findings (alerts) automatically generated for an AWS environment. AWS Reference |
cloud_aws_securityhub_alert |
Setting Up and Managing Data Connectors
1. Accessing the Data Connectors page
- Navigate to the Settings section in the left sidebar
- Under Integrations, select Data Connectors
2. Setting up a new Connector
- Locate the desired connector in the list
- Click the Set up button beneath the connector's description
- Follow the specific prompts for the chosen connector, which may include:
- Providing authorisation credentials
- Selecting data filters or scope
- Configuring additional settings as needed
Ingestion setup delay: Once successfully connected, it can take up to 5 minutes to begin data ingestion provided there is data available from the external service i.e. if no security alerts have been generated by Microsoft then there is nothing to ingest.
Multiple data connectors: There is no limit on the number of instances of a specific integration within SenseOn. For example, if you want to centralise alerting from three Microsoft tenants, you can do so by setting up three M365 Security Alert connectors.
3. Viewing connection details
- Click the View details button next to a connection
- This opens a modal with specific information about the connection
Connector Details | Description |
---|---|
Status | Current state of the integration:
|
Connection created | Timestamp when the connector was last activated or created |
Data last received | Timestamp when the external service last sent data to the connector |
Data last fetched | Timestamp when the data connector last attempted to ingest data |
Connection status last checked | Timestamp of the last health check |
Organization ID | ID of the associated organisation in GCP |
Applied filter | The filter applied to specify which alerts to ingest from the M365 security alerts connector |
Tenant | Microsoft Tenant from which the connector fetches data |
4. Managing existing connections
- View your active connections in the "Your connections" section at the top of the page
- Each connection displays its current status
5. Modifying a connection
- Click the three-dot menu
...
next to a connected integration - Options may include:
- Edit filters: Adjust the scope of data being collected
- Resume/Pause: Toggle the active state of the connection
- Delete: Remove the connection entirely
6. Microsoft 365 Security Alerts & Google Workspace Alerts specific information
- With these connectors you can optionally provide a filter which specifies which alerts to be ingested by SenseOn
- Visit this Microsoft doc or Google doc to learn more
Remember that each connector may have unique setup requirements or features. Always refer to the specific instructions provided during the setup process for any connector-specific steps or considerations.
Troubleshooting
Each connector is monitored for health periodically to identify when a connection is potentially failing.
When a connection becomes unhealthy or has not been configured correctly, the connection status will be set to Error and details of the error will be provided:
Connector(s) | Error Message | Cause | Troubleshooting |
---|---|---|---|
AWS Security Hub Alerts GCP Security Command Centre Alerts |
Subscription is missing | The integration was not activated and is therefore missing a subscription | Complete the steps required to activate the integration. |
AWS Security Hub Alerts GCP Security Command Centre Alerts |
Subscription heartbeat is missing | The integration is expecting heartbeats but none have arrived yet | This is most likely due to the subscription being just set up and the heartbeat did not arrive yet - waiting for a bit should give the integration enough time to send heartbeats. If it doesn’t help, see below: |
AWS Security Hub Alerts GCP Security Command Centre Alerts |
Last heartbeat is too old | At least two consecutive heartbeats got lost | There is most likely something wrong with the AWS or GCP infrastructure. Check the deployed AWS infrastructure for errors (Lambda, event bridge.). Check that the notification config was created in GSCC and that all the setup commands ran successfully. |
Microsoft 365 Security Alerts 0365 Management Activity |
Unable to read API Endpoint | The integration tries to download a single alert just to check that it can reach the endpoint and fails | Double check the provided tenant ID and make sure the integration was authorised. |
Microsoft 365 Security Alerts<br /0365 Management Activity | Subscription validation failed | Subscription details are invalid (or corrupted) and do not match Microsoft’s source of truth. | Try deactivating (deleting) the subscription and creating it again. |
Google Workspace Alerts Entra ID Sign-in Logs Entra ID Audit Logs |
Unable to read API endpoint | The integration has tried to ingest a single alert to validate the connection setup but has failed | Double check the provided tenant ID and make sure the integration was authorised. |