Microsoft Azure Sentinel 12.4.1
  • 06 Oct 2022
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Microsoft Azure Sentinel 12.4.1

  • Dark
    Light
  • PDF

Article summary

tags: python | SIEM


Description

Integration with Microsoft Azure Sentinel supports CDC users by providing the extraction of logs from Sentinel as alerts and observables. This enables CDC users to make informed decisions regarding incident response.

Sentinel is a scalable, cloud-native, Security Information and Event Management (SIEM) solution. It delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.

CyberProof supports various observable models depending on configuration. These models help group observables under headings; otherwise, they are left as independent.

Microsoft Sentinel via KQL (Keyword Query Language) enables us to query against data collected and interactively analyze their results. We use KQL queries to retrieve records that match particular criteria, identify trends, analyze patterns, and provide a variety of insights into our data.

Integration Type:SIEM
Information read:Logs from Microsoft Sentinel based on defined criteria.
API Supported:INCIDENTS = "2020-01-01"
Input:N/A
Output:Detailed logs that lead to the creation of alerts and observables in the CDC.

Customer Configuration

No customer configuration


CDC Command Lines

* **complete_alert_data_cli**
This CLI is used to complete alert information. Example: complete_alert_data_cli --alert_ids=["59889e23-0229-64fe-ec12-7058e1f9be87","45852sdfs3-0229-64fe-ec12-7058e1f9be87"] --alerts_limit=2 --base_events_limit=5. (Default limit is 10)

OptionTypeDescriptionRequired
alert_idsarrayAlert IDs from Sentinel.False
alerts_limitintegerSentinel alerts limitiation number to extract.False
base_events_limitintegerSentinel Base Events limitation number.False

Workflows

* **async_update_alert**
Updates alerts in the CDC from updated Sentinel incidents.

* **complete_alert_data**
This CLI is used to complete alert information. Example: complete_alert_data_cli --alert_ids=["59889e23-0229-64fe-ec12-7058e1f9be87","45852sdfs3-0229-64fe-ec12-7058e1f9be87"] --alerts_limit=2 --base_events_limit=5. (Default limit is 10)

* **create_alert**
Create alerts in the CDC from Sentinel incidents.

* **enrich_ala_incident**
Enrich Sentinel incidents by Azure Log Analytics.

* **execute_close_incident**
Close an incident in Sentinel.

* **fetch_ala_data**
This workflow is used to fetch an incident and its alerts from Azure Log Analytics.

* **update_alert**
Update alerts in the CDC from updated Sentinel incidents.

* **update_alert_wrapper**
Update alerts in the CDC from updated Sentinel incidents.


Rules

* **close_alert_lisenter**
Close incidents; i.e., an incident in Sentinel.

* **create_alert_lisenter**
Triggers injecting a new Azure Log Analytics incident to the CDC workflow.

* **update_alert_lisenter**
Triggers injecting an updated Azure Log Analytics incident to the CDC workflow.


Sensors

* **SentinelSensor**
Sensor to pull incidents from Azure Sentinel.

Poll interval - 30s

* **SentinelUpdateSensor**
Sensor to pull updated incidents from Azure Sentinel.

Poll interval - 30s


Triggers

No triggers


Known Issues

Asynchronous actions do not remove defaults or None values while sending the data to the CDC. Currently, the AMQP service - which collects messages from RabbitMQ and pushes them to ST2 - does not handle these cases, and fails to push these triggers to ST2. It should be fixed in new ucf-microservices releases.


Was this article helpful?

What's Next