- 14 Dec 2022
- 2 Minutes to read
- DarkLight
- PDF
Microsoft Azure Sentinel 12.6.3
- Updated on 14 Dec 2022
- 2 Minutes to read
- DarkLight
- PDF
tags: python | SIEM
Description
Integration with Microsoft Azure Sentinel supports CDC users by providing the extraction of logs from Sentinel as alerts and observables. This enables CDC users to make informed decisions regarding incident response.
Sentinel is a scalable, cloud-native, Security Information and Event Management (SIEM) solution. It delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.
CyberProof supports various observable models depending on configuration. These models help group observables under headings; otherwise, they are left as independent.
Microsoft Sentinel via KQL (Keyword Query Language) enable us to query against data collected and interactively analyze their results. We use KQL queries to retrieve records that match particular criteria, identify trends, analyze patterns, and provide a variety of insights into our data.
Integration Type: | SIEM |
Information read: | Logs from Microsoft Sentinel based on defined criteria. |
API Supported: | INCIDENTS = "2020-01-01" |
Input: | N/A |
Output: | Detailed logs that lead to the creation of alerts and observables in the CDC. |
Customer Configuration
No Customer Configuration
CDC Command Lines
* **complete_alert_data_cli**
This CLI is used to complete alert information. Example: complete_alert_data_cli --alert_ids=["59889e23-0229-64fe-ec12-7058e1f9be87","45852sdfs3-0229-64fe-ec12-7058e1f9be87"] --alerts_limit=2 --base_events_limit=5. (Default limit is 10)
Option | Type | Description | Required |
---|---|---|---|
alert_ids | array | Alert IDs from Sentinel. | False |
alerts_limit | integer | Sentinel alerts limitiation number to extract. | False |
base_events_limit | integer | Sentinel Base Events limitation number. | False |
Workflows
* **async_update_alert**
Update alerts in the CDC from updated Sentinel incidents.
* **complete_alert_data**
This CLI is used to complete alert information. Example: complete_alert_data_cli --alert_ids=["59889e23-0229-64fe-ec12-7058e1f9be87","45852sdfs3-0229-64fe-ec12-7058e1f9be87"] --alerts_limit=2 --base_events_limit=5. (Default limit is 10)
* **create_alert**
Create alerts in the CDC from Sentinel incidents.
* **enrich_ala_incident**
Enrich Sentinel incidents by Azure Log Analytics.
* **execute_close_incident**
Close an incident in Sentinel.
* **fetch_ala_data**
This workflow is used to fetch an incident and its alerts from Azure Log Analytics.
* **update_alert**
Update alerts in the CDC from updated Sentinel incidents.
* **update_alert_wrapper**
Update alerts in the CDC from updated Sentinel incidents.
Rules
* **close_alert_lisenter**
Close incidents; i.e., an incident in Sentinel.
* **create_alert_lisenter**
Triggers injecting a new Azure Log Analytics incident to the CDC workflow.
* **update_alert_lisenter**
Triggers injecting an updated Azure Log Analytics incident to the CDC workflow.
Sensors
* **SentinelSensor**
Sensor to pull incidents from Azure Sentinel.
Poll interval - 30s
* **SentinelUpdateSensor**
Sensor to pull updated incidents from Azure Sentinel.
Poll interval - 30s
Triggers
No triggers
Known Issues
- Asynchronous actions do not remove defaults or None values while sending the data to the CDC.
Currently, the AMQP service - which collects messages from RabbitMQ and pushes them to ST2 - does not
handle these cases, and fails to push these triggers to ST2.
It should be fixed in new ucf-microservices releases.