1. Proposed title of this feature request

Send alerts and audit events to Microsoft Sentinel

2. What is the nature and description of the request?

The customer's cybersecurity team uses Microsoft Sentinel for SIEM, and they would like a way to send event from ACS to Microsoft Sentinel.   They are currently using the ACS syslog integration but they have encountered several issues (see below).

3. Why does the customer need this? (List the business requirements here)

Business impact statement from the customer: 

Our cybersecurity team are using Microsoft Sentinel for SEIM/SOAR.
I'd like a way to send events from ACS to Microsoft Sentinel.
Currently I am doing this using ACS' syslog integration but there are a couple of disadvantages with this approach: 

(1) the CEF-formatted syslog messages generated by ACS use the wrong field mapping so events show up in Sentinel reports using the wrong columns (see https://github.com/stackrox/stackrox/issues/5400). 

(2) Syslog -> Microsoft Sentinel is awkward to operate (for purely Microsoft reasons) - requires deployment of extra resources (e.g., rsyslog + the Microsoft OMS agent in a virtual machine)

(3) the event payload JSON gets sent as a giant AdditionalExtensions field in a format that is impractical to parse with Kusto

Native support for sending events to Sentinel would alleviate these pain points.

our enterprise has chosen Sentinel as its SEIM/SOAR. The difficulty of using the syslog messages currently emitted by ACS makes it difficult for our cybersecurity department to monitor and respond to alerts from ACS. This in turn makes it difficult for me to get them to consider ACS during selection of kubernetes cluster security tooling.

Urgency statement from the customer: 

we are currently relying on the Microsoft OMS Agent to get syslog messages into Sentinel. Microsoft are retiring the OMS Agent on 31 August 2024 so we will need another solution in place by then.

Support portal case: 03566487

4. List any affected packages or components.

text