Microsoft Sentinel Logstash Plugin: Passwordless Authentication with Managed Identity Support

What Changed

Microsoft Sentinel Logstash output plugin v1.2.0 adds comprehensive passwordless authentication:

• Managed identity support for Azure VMs and VMSS (system-assigned and user-assigned)
• AKS workload identity via OIDC token exchange for Kubernetes workloads
• Azure Arc managed identity for hybrid and on-premises servers
• Automatic authentication detection runtime fallback hierarchy
• HTTP client migration from excon to rest-client for improved compatibility

Authentication Enhancement

Auto-detection hierarchy when managed_identity is enabled:

1. AKS Workload Identity: Uses OIDC token exchange if required environment variables are present
2. Azure Arc: Detects azcmagent process and uses Arc managed identity endpoint for hybrid servers
3. IMDS: Falls back to Instance Metadata Service for Azure VMs/VMSS

Backward compatibility: Existing service principal authentication unchanged and remains default.

Security Impact (Authentication & Data Ingestion)

Eliminates credential management security risks:

• No client secrets: Removes need to store and rotate authentication secrets in Logstash configurations
• Environment-native: Uses Azure platform identity instead of stored credentials
• Cross-environment support: Single configuration works across Azure VMs, AKS clusters, and Arc-connected servers
• Improved operational security: Reduces attack surface by eliminating stored credentials in configuration files

For Azure Arc environments: Requires Logstash process user membership in himds group for challenge token access.

Affected Files

DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/CHANGELOG.md
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/README.md
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/arm-template/deploy-dcr-dce-cef-table.json
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/config/bronze.conf
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/config/logstash.yml
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/config/pipelines.yml
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/examples/auxiliary-logs/config/syslog.conf
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/outputs/microsoft-sentinel-log-analytics-logstash-output-plugin.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsAadTokenProvider.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsArcTokenProvider.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsClient.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logAnalyticsManagedIdentityTokenProvider.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logStashEventsBatcher.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/logstashLoganalyticsConfiguration.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/lib/logstash/sentinel_la/version.rb
DataConnectors/microsoft-sentinel-log-analytics-logstash-output-plugin/microsoft-sentinel-log-analytics-logstash-output-plugin.gemspec