Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SIEM

Extending Azure Sentinel: APIs, Integration and management automation

Azure Sentinel News Editor by Azure Sentinel News Editor
December 14, 2020
in SIEM
0
Enriching Windows Security Events with Parameterized Function
4.6kViews
361 Shares Share on Facebook Share on Twitter

One of the biggest advantages of the cloud in general and Azure Sentinel, in particular, is being API focused. SIEM products are integration savvy, whether with telemetry sources or with other management platforms. The cloud makes automating this integration critical to tackling the ephemeral nature of resources. In this evolving blog post, we will cover Azure Sentinel integration and automation capabilities.

Data integration

Azure Sentinel uses Azure Log Analytics for log management and the Log Analytics APIs serve Azure Sentinel.

The Query API

Azure Sentinel enables easy and fast API access to the workspace, Azure Sentinel’s primary data store. This enables you to use Azure Sentinel as your data lake and build your own algorithms and applications over the data.

To do that, send your KQL queries using the  Log Analytics query API. To learn more about how to use the query API, which is part of Azure REST API, you might want to read getting started with Azure REST API, or read Rin Ure’s great write up on how to use the API. There are some tools that already use the API and can make life simpler:

  • PowerShell script – now includes CSV export
  • PowerShell cmdlet
  • Azure CLI
  • Logic Apps Azure Monitor logs connector

Also, in addition to ingested event data, the Azure Sentinel workspace stores alerts in the SecurityAlert table and bookmarks in the HuntingBookmark table, which can be accessed using the query API. Incidents are not stored in the workspace but can be read using the management API discussed below. 

The Data Collector API

You can ingest data to Azure Sentinel using the Log Analytics Data Collector API. You can directly use the API using your preferred programming language, but also use tools such as the Log Analytics agent, Logstash and Logic Apps without programming. The API and the different ways to use it are discussed in the custom connectors blog post.

The Graph Security API

The Graph Security API offers a direct interface, which may be easier to use for special popular data access use cases:

  • Read Azure Sentinel’s alerts.
  • Ingest TI to Azure Sentinel utilizing the built-in TI based analytics without modifications. Note that this cannot be achieved with the data collector API as it writes to custom tables rather than to the standard TI table, ThreatIntelligenceIndicator. See this blog post as an example.

Management integration and automation

Using automation for deployment and management is always a cost saver. For the cloud, in which resources are often ephemeral, automation is ever more important, and the same applies to service providers which need to on and off-board customers as efficiently as possible. Management APIs are also important to tie processes, and not just data, into other systems in the organization such as a service provider’s portal, a workflow system or a ticketing system.

The Azure Sentinel management API documentation can be found here.
Swagger and example files can be found here
.

Looking to include the API calls in an ARM template? the newly introduced scripting capability within ARM templates enables including any Sentinel API call in an ARM template. For more details refer to “Extending Azure Resource Manager (ARM), Azure’s control plane” from Ignite 2019

As mentioned before, the API allows access to incident data, not available through the query API. You can find the export all incidents script a useful example for doing that.

API permissions

Azure APIs use the same roles and permissions mechanism as does the portal. More details on Azure Sentinel roles and permissions can be found here.

Using the API to retrieve and update incident information

While both alert and incident information is avaialable through the query API as they are stored in tables in the workspace, updating incidents requires using the management API. As a result, it is sometimes preferred to use the manamgenet API also to retrieve incident and alert informtion. Some useful examples that can help are:

  • Get entities for a Sentinel Incidient usint the API

Using the management API to automate content deployment

The most common use for the API is to automate the deployment and update of Analytics Alert Rules and hunting queries. 

Two open-source implementations of the API you might find useful for this purpose are:

  • Automating analytics and hunting rules deployment using AzSentinel created by Wortell. You can use these scripts to export and import all rules from a workspace. If using the API directly to deploy a rule retrieved from another workspace, make sure you update the following JSON fields:
    • The id should be modified so it will fit the current workspace URI
    • The etag should be cleared
    • The lastModifiedUtc should be removed

When using any one of the scripts presented in this section, this is already handled for you.

  • Javier Soriano and Philippe Zenhaeusern have implemented a CI/CD flow using GitHub, Azure DevOps, and the Sentinel automation capabilities. It enables you to manage rules, queries, playbooks, workbooks, and more on GitHub and have them continuously deployed to your Sentinel workspace. You can even create a new workspace and connect it automatically.
  • They also discuss how to extend your CI/CD framework across workspaces and tenants.

The management API would also be the solution for backing up and restoring configuration. The automation PowerShell modules and scripts described above both read and write resources and therefore, can be used for backup and restore. Using CI/CD ensures that the master copy of the configuration is external to start with.

Automated deployment and configuration for other resources

Azure Sentinel uses other resources which are part of the Azure environment and for which you would need to use their own deployment automation mechanism:

  • Workbooks: use ARM. To ensure the workbook is listed in Sentinel:
    • Set the sourceId to the workspace ID (should look similar to this /subscriptions/… /resourcegroups/…/providers/microsoft.operationalinsights/workspaces/…) 
    • Set the category to “sentinel”
  • Logic App playbooks: use ARM. To ensure the playbook appears in Sentinel:
    • It has to use the Sentinel trigger
    • Be in the same subscription as the workspace.
  • Saved searches and functions:
    • API
    • Powershell Cmdlet: create, remove, get
  • Connectors:
    • Set the Security Events collection tier
    • Configure AAD to deliver to Audit and Signing logs to sentinel
    • Enable Azure Firewall diagnostics using PowerShell
    • Enable Azure WAF diagnostics using PowerShell
    • Enable Azure DDOS diagnostics using PowerShell

Using Azure Policy to collect from Azure services

The recommended way to configure Azure Services to stream to Azure Sentinel is to use Azure Policy. This ensures new services are automatically set to collect without the user having to wait to be connected. Create-AzDiagPolicy (GitHub, PowerShell Gallery) allows you to create Azure Policies for enforcing Azure services to log 

To learn more about using Azure policy to ensure any new Azure resource send telemetry to Azure  read Tao Yang’s blog post. though note that the referenced policy templates are out of date and the script above should be used.

Lastly, for ASC continuous export use the built in policy ‘Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations’ (Policy ID: ffb6f416-7bd2-4488-8828-56585fef2be9) or use this policy template. Use ASC continuous export to collect ASC recommendations as well as an alternative to the ASC alerts connector, albeit with some limitations.  

About API support and versioning

While cloud applications user interfaces change on an on-going basis, on the API side we commit to longer term consistency. So, while the APIs do change regularly:

  • A breaking change requires a new version of the API.
  • Existing versions can be deprecated only after 3 years if GA, and 90 days for preview, and need to follow a deprecation process.
apis.jpg

Reference:https://techcommunity.microsoft.com/t5/azure-sentinel/extending-azure-sentinel-apis-integration-and-management/ba-p/1116885

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

March 5, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

March 3, 2021
What’s new: Microsoft Teams connector in Public Preview
SIEM

Changes in How Running Hunting Queries Works in Azure Sentinel

February 11, 2021
Next Post
Microsoft improves Azure’s security to protect your business

What’s New: Reduce alert noise with Incident settings and alert grouping in Azure Sentinel

Analysing Web Shell Attacks with Azure Defender data in Azure Sentinel

Connect X-Force Exchange API on Azure Sentinel

Microsoft Debuts Azure Sentinel SIEM, Threat Experts Service

Microsoft Finishes Integrating Windows Defender ATP with Hexadite Buy

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft suspends 18 Azure accounts tied to China-based hackers

Microsoft and Redis Labs collaborate to give developers new Azure Cache for Redis capabilities

3 months ago
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Upcoming Webinar: A Day in the Life of an Azure Sentinel Analyst

2 months ago
Microsoft introduces integrated Darktrace-a-like, Azure Sentinel

Download and Backup Your Azure Sentinel Playbooks

2 months ago
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Evolve the SOC with Azure Sentinel: Hunting Queries

2 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

How to Deploy an Analytics Rule to Azure Sentinel from the GitHub Repository

Azure Sentinel Weekly Newsletter

How to Generate Azure Sentinel Incidents for Testing

Trending

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SOC

How to be Mindful Against Dupes and Noise with the new Azure Sentinel/M365 Defender Integration

by Azure Sentinel News Editor
March 8, 2021
0

I’ve spent a good amount of time so far on this blog talking about steps on how...

With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

March 5, 2021
Vectra AI and Microsoft partner on security integration

How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks

March 4, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

March 3, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

March 3, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to be Mindful Against Dupes and Noise with the new Azure Sentinel/M365 Defender Integration March 8, 2021
  • Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA March 5, 2021
  • How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks March 4, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News