Comment on page

Azure Sentinel SIEM Integration

2023.03.23

Overview

Oort’s platform can tie into existing Sentinel workflows often used by Security Teams. This document will walk you through the process of setting up the App Registration inside of Azure AD.
SIEM Integration - Azure Sentinel
SIEM Integration - Azure Sentinel
For more information, see this short overview video -

Azure Sentinel Integration - High-level Steps

This article follows the Microsoft Azure Sentinel tutorial - Send data to Azure Monitor Logs by using a REST API (Azure Portal).
The following items will be needed to complete the integration inside of the Oort Console:
  • Name / Description - (What Azure Sentinel instance are you connecting to?)
  • Directory (tenant) ID
  • Application (client) ID
  • Application (client) Secret
  • Logs ingestion Endpoint URI
  • Custom Log Table Name
  • Data Collection Rule Immutable ID
The sections below go into more detail on each of the steps.

Azure Sentinel Configuration

  1. 1.
    Configure Azure application registration to authenticate against the API, follow the instructions. Note the Application (client) ID, Directory (tenant) ID and secret value for further setup.
  2. 2.
    Create data collection endpoint, follow the instructions. Note the Logs ingestion URI for further setup.
  3. 3.
    Add a custom log table, follow the instructions. Note the table name for further setup and be aware that there is _CL added automatically to the table name. We will need the full name with the _CL suffix.
  4. 4.
    After clicking Next, the next step is to parse and filter a sample data set. In the Schema and transformation screen, review the Microsoft instructions as a reference and then complete the process using the data and steps below. Do not use the sample data and transform code provided in the Microsoft article. Use the the steps below.
    1. 1.
      Save content of this block in a local file or download the sample_data file linked below. NOTE - this step is done outside of the Azure console.
    [{
    "activity": "END_USER__CHECK_FAILED",
    "targetResourceIds": {
    "checkId": "no-mfa",
    "login": "[email protected]",
    "userIds": ["28a8cf1a-9ff8-457c-8049-1dee4caa3177"]
    },
    "lastModified": "2022-11-02T12:28:07.850Z"
    }]
Sentinel_sample_data_Oort.json
330B
Code
  1. 2.
    Click Browse for files and use the content of the file from the previous step for that purpose.
  2. 3.
    Data from the sample file is displayed with a warning that a TimeGenerated is not in the data.
    Click Transformation editor to open the transformation and paste content of the below block (note that source is already present in the editor UI):
    source
    | extend TimeGenerated = todatetime(['lastModified'])
    | project-rename activityDate = lastModified
  3. 4.
    Click Run to view the results, click Apply to save the transformation, Next to get to the Review tab, and click Create to save the custom log.
  4. 5.
    To collect information from data collection rule (DCR), follow the instructions. Note immutableId for further setup.
  5. 6.
    Next to assign permissions to the DCR, follow the instructions.
    In the end, you will see your App Registration as a Monitoring Metrics Publisher under the Role Assignments tab.

Azure Configuration Summary

After the setup above, you will have the following components in your Azure tenant. These objects will be used to setup a corresponding Sentinel SIEM integration in Oort:
  • App registration (client ID, client secret, tenant ID)
  • Logs Ingestion Endpoint URI from the data collection endpoint (DCE) to receive data over HTTP
  • Data collection rule (DCR) immutable Id
  • Custom table name in Log Analytics workspace (including the _CL suffix)

Oort Tenant Configuration for Sentinel

Within your Oort console, follow these steps to configure your Sentinel integration.
  1. 1.
    On the Integrations page, click Add Integration and scroll to the bottom of the page to select Azure Sentinel.
  2. 2.
    Enter the information collected as shown below -
    1. 1.
      Name - for display purposes only
    2. 2.
      Description (optional)
    3. 3.
      Azure directory (tenant) ID
    4. 4.
      App (client) ID
    5. 5.
      App (client) secret
    6. 6.
      Logs Ingestion Endpoint URI - this is a property of the data collection endpoint (DCE) created above
    7. 7.
      Custom log table name
    8. 8.
      DCR Immutable ID - this is found in the JSON View of the DCR
  3. 3.
    Click Save
  4. 4.
    On the Integrations page, click the 3-dot menu for the Sentinel integration and select Test Connectivity.

Viewing your Oort logs in Azure Sentinel

By default, your Oort tenant will send all new Check failures for all checks to your Azure Sentinel custom table once every 24 hours.
To calculate any new check failures since the last data collection and analysis, you may want to do the following:
  1. 1.
    From the Integrations page, manually run collection from your Azure data integration using the Collect Now option.
  2. 2.
    After that completes, from the Checks page, select Run Checks Now
To view your logs in Azure Sentinel, do the following -
  1. 1.
    Navigate to your Azure Sentinel instance that contains the configuration you created for this integration.
  2. 2.
    Select Logs in the left nav pane.
  3. 3.
    Under Queries, run a new query with the name of the custom table created for this purpose.
  4. 4.
    The Results will show the most recent check failures from your Oort tenant.
  5. 5.
    Expand individual rows of the results table to see details for each item.