This directory contains configuration for forwarding SOC Lab events from the local Docker stack to an Azure Log Analytics Workspace, making them available in Microsoft Sentinel.
The local lab stack writes events to Elasticsearch (port 9200). Azure Sentinel reads from Log Analytics. To run the Terraform analytics rules against real lab data, you need to bridge the two: ship events from the lab's Filebeat instance to the Log Analytics Workspace using the Azure Monitor Data Collector API.
Without this step, the analytics rules exist in Sentinel but have no data to query against (the soc_lab_CL table will be empty).
After running terraform apply in terraform/sentinel/:
# Workspace ID (called "Customer ID" internally)
terraform output workspace_customer_id
# Primary shared key (sensitive — handle as a secret)
terraform output -raw primary_shared_keyThe logstash-output-azure-loganalytics plugin handles the HMAC-SHA256 request signing required by the Data Collector API automatically.
-
Add the plugin to your Logstash installation:
logstash-plugin install logstash-output-azure-loganalytics
-
Configure a Logstash output pipeline:
output { azure_loganalytics { workspace_id => "YOUR_WORKSPACE_ID" workspace_key => "YOUR_PRIMARY_SHARED_KEY" custom_log_table_name => "soc_lab" } }
-
Point the existing Filebeat configuration at the new Logstash pipeline instead of (or in addition to) Elasticsearch.
The filebeat-azure-monitor.yml file in this directory shows the Filebeat HTTP output configuration. This option requires you to compute the Authorization header using HMAC-SHA256 on each request (the Azure Monitor Data Collector API requires signed requests).
For a working signing implementation, see the Azure Monitor Data Collector API reference.
For production scenarios, consider the Azure Monitor Agent with a Data Collection Rule (DCR). This is the current Microsoft-recommended approach but requires the log source host to be Azure-enrolled or Arc-connected.
Azure Monitor appends type suffixes to all custom log fields. The analytics rules in analytics_rules.tf use these column names:
| ECS Field | Log Analytics Column |
|---|---|
event.category |
event_category_s |
event.action |
event_action_s |
event.outcome |
event_outcome_s |
source.ip |
source_ip_s |
destination.ip |
destination_ip_s |
destination.port |
destination_port_d |
network.transport |
network_transport_s |
user.name |
user_name_s |
host.name |
host_name_s |
authentication.service |
authentication_service_s |
process.name |
process_name_s |
process.parent.name |
process_parent_name_s |
process.command_line |
process_command_line_s |
process.integrity_level |
process_integrity_level_s |
@timestamp |
TimeGenerated (auto-mapped) |
After configuring the connector and sending some lab events:
-
Open the Azure portal → Microsoft Sentinel → your workspace
-
Go to Logs
-
Run:
soc_lab_CL | take 10
If rows appear, the data pipeline is working. The analytics rules will start firing on the next evaluation cycle.