(And a pretty good example of configuring ANY Sentinel data connectors that use APIs and Azure Functions.)
There are several ways to get data into Sentinel.
If your log source requires an API pull, it’s very likely that Sentinel will use an Azure Function app to pull the data.
Vendors have many uses for their APIs so you can’t assume that theirs was built just to please your SIEM.
As a result there is often a bit of a learning curve when trying to understand how to get API logs into Sentinel and how Azure functions play a role.
Here are the 3 basic steps for getting your API logs into Sentinel:
- Spend some time to understand the vendor’s API – List out all of the available API options. For Carbon Black, there are over 15 APIs!!! But you need just 2 of them for Sentinel.
- Collect the variables needed to configure the Azure Function – for Carbon Black there are about 15 variables!!! (see cheat sheet below). You’ll need the help of your friendly AWS admin as well as your Carbon Black admin.
- Get familiar with how to troubleshoot a vendor’s API and Azure Functions – If you’re familiar with curl, wget and/or Postman, then you’re on your way, but that subject is out of scope for this article. For Azure Functions it’s mostly about being able to tweak your variables and how to monitor the output logs (see cheat sheet below).
My cheat sheet for Sentinel Carbon Black Cloud (EDR) Connector
Converting this cheat sheet from Excel to fit in this blog is beyond my skills, so I’ve attached a pdf version.
I’m confident that if you can configure Carbon Black Cloud, you’ll probably have no issue with most other Azure Function API connectors for Sentinel.
I doubt any other connectors will have this many variables!
Addendum: Which audit logs should I collect?
When configuring this connector, there are 4 check boxes to choose from. Here ‘s a brief explanation for them:
CB Alerts Only:
If you just need the CB alerts, then just check off ‘Alert – supported with SIEM API credentials’. This is a good starting point since you don’t have to worry about connecting to AWS.
CB Alerts with All Events
If you need all of the events associated with the alerts, then check off these 2:
Event – supported with aws s3 bucket credentials
Alert – supported with aws s3 bucket credentials
And then proceed to set up an s3 bucket along with everything else.
Audit
These are just basic Carbon Black audit logs, no alerts/events here.
And no need for s3 buckets so enable it with no difficulty.
Simple-Security 
A Similar thread that also helps solve connection issues – Note the format of the Log Types variables and the Powershell version. VMware Carbon Black Cloud Sentinel Data connector not ingesting alerts- Sentinel · Issue #10680 · Azure/Azure-Sentinel (github.com)
LikeLike