(Last updated January 18th 2021)
Special thanks to @Ofer_Shezaf and @Alp Babayigit that collaborating with me on this blog post.
In the blog post we will introduce a solution which uses Logic Apps to automatically attach evidence to Microsoft Sentinel alerts and send them to an Event Hub that can be consumed by a 3rd party SIEMs and Ticketing Systems.
From our customers engagements we learned that sometimes customers prefer to maintain their existing SIEM alongside Microsoft Sentinel.
Among the reasons for doing so are:
In addition, customers often use a ticketing system, such as Service Now or JIRA to manage incidents at the SOC and need to forward alert information to those systems.
Traditionally, customers forwarded alerts from Microsoft Sentinel to their existing SIEM or ticketing systems using the Graph Security API. You can do so for Splunk, QRadar, Service Now or any other SIEM or Ticketing System that supports Event Hub ingestion.
However, in a side by side deployment, alerts from one platform need to be sent to the other to enable a single pane of glass for the analyst. To ensure efficient triaging on the primary pane of glass, the alerts have to include enough supporting information. When the 3rd Party SIEM or ticketing system is used as the primary pane of glass, this translates to sending both Microsoft Sentinel alerts and their supporting events to this system.
When you press “Events”, you are redirected to the “Logs” screen to view the supporting events relevant to the alert. Those can be, but are not necessarily, raw events collected by Microsoft Sentinel. Instead, the alert rule determines what to present as supporting events. Learn more about how a rule controls the supporting evidence in the Microsoft Sentinel KQL lab (YouTube, deck) and the Microsoft Sentinel rule writing Webinar (YouTube, deck).
As an example, the following alert rule taken from the KQL Lab uses the summarize and extend keywords to produce just the data relevant to the detected anomalies:
In this article, we demonstrate how to use Microsoft sentinel SOAR capability and leverage a Logic App playbook to send alerts with their associated supporting events to a 3rd party SIEM.
The playbook, available here, works as follows:
The JSON that is sent to the Event Hub looks as below. The “SupportingEvents” attribute is added by the Playbook
{
"Alert": "AD user created password not set within 24-48 hours",
"AlertsDescription": "Identifies whenever a new account is created with a …",
… additional alert fields
"AlertEntites":
" [{
" $id ": " 3 ",
" DnsDomain ": " Contoso.Azure ",
" HostName ": " ContosoDc ",
" Type ": " host "
}, {
" $id ": " 4 ",
" Name ": " MSOL_d9f03d5ca7ff ",
" Type ": " account "
] ",
"Events":
" [{
" StartTimeUtc ": " 2020 - 06 - 02T17: 03: 16.44Z ",
" EventID ": 4722,
" Computer ": " ContosoDc.Contoso.Azure ",
" TargetUserName ": " XXX ",
" TargetDomainName ": " CONTOSO ",
" SubjectUserName ": " ContosoAdmin ",
" timestamp ": " 2020 - 06 - 02T17: 03: 16.44Z ",
" AccountCustomEntity ": " XXX ",
" HostCustomEntity ": " ContosoDc.Contoso.Azure "
}, {
" StartTimeUtc ": " 2020 - 06 - 02T16: 29: 56.963Z ",
" EventID ": 4722,
" Computer ": " ContosoDc.Contoso.Azure ",
" TargetUserName ": " XXX ",
" TargetDomainName ": " CONTOSO ",
" SubjectUserName ": " ContosoAdmin ",
" timestamp ": " 2020 - 06 - 02T16: 29: 56.963Z ",
" AccountCustomEntity ": " XXX ",
" HostCustomEntity ": " ContosoDc.Contoso.Azure "
}]"
}
Most, if not all, SIEMs can consume the alerts from an Event Hub. Consult with your SIEM vendor on how. The following are instructions for consuming the alerts from the Event Hub to popular SIEM platforms:
Alternatively, if your SIEM or ticketing system supports an API, you may be able to connect directly from the Logic App playbook to your SIEM using the Logic App HTTP connector, or, if available a dedicated connector such as those available for Service Now or Jira
We just walked through the process of how enrichment can be done on Microsoft Sentinel level by leveraging could native capabilities in Azure before forwarding to 3rd Party SIEM or to a ticketing system. Stay tuned for more us cases in our Blog channel!
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.