Connect your Illusive Attack Management System to Azure Sentinel

Important

The Illusive Attack Management System data connector in Azure Sentinel is currently in public preview. This feature is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.

This article explains how to connect your Illusive Attack Management System to Azure Sentinel. The Illusive Attack Management System data connector allows you to share Illusive’s attack surface analysis data and incident logs with Azure Sentinel and view this information in dedicated dashboards that offer insight into your organization’s attack surface risk (ASM Dashboard) and track unauthorized lateral movement in your organization’s network (ADS Dashboard).

Note

Data will be stored in the geographic location of the workspace on which you are running Azure Sentinel.

Forward Illusive Attack Management System logs to the Syslog agent

Configure Attack Management System to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent.

  1. Log onto the Illusive Console, and navigate to Settings->Reporting.

  2. Find Syslog servers.

  3. Supply the following information:

    • Host name: Linux Syslog agent IP address or FQDN host name
    • Port: 514
    • Protocol: TCP
    • Audit messages: Send audit messages to server
  4. To add the syslog server, click Add.

  5. To use the relevant schema in Logs for the Illusive Attack Management System, search for CommonSecurityLog.

Next steps

In this document, you learned how to connect Illusive Attack Management System to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: