Oort Knowledge Base
  • Home
  • Glossary
  • 📊Dashboard
  • 👥Understanding your users
    • 📇Users
      • 💾Saved Filters
      • ❓Basic Search & Advanced Query Mode
    • 🩻User 360
      • 🗺️Overview Tab
      • 🔬Activity Tab
      • 📶Networks Tab
      • 💻Devices Tab
      • 🪺Applications and Groups Tabs
      • ✅Checks Tab
    • 🔗Linking User Accounts
    • 🤷User Statuses
  • 🧩Configuring Integrations
    • Managed Integrations
    • Auth0
      • Auth0 Data Integration
      • Auth0 Log Streaming & Marketplace App
    • Microsoft Entra ID (Azure AD) Data Integration
    • Microsoft Entra ID (Azure AD) SSO Integration
    • Azure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)
    • Azure Sentinel SIEM Integration
    • AWS
    • Duo Security Integration
    • Email Notifications
    • Github
    • Google Workspace Integration
    • Jira Integration
    • Mailgun Integration
    • Microsoft Teams Notification Integration
    • Okta Log Streaming AWS EventBridge Integration
    • Okta Data Integration
    • Okta Workflows
    • Okta Integration Network - Production SSO App
    • Okta SSO
    • Polarity Integration
    • Salesforce Integration
    • SendGrid Integration
    • ServiceNOW Integration
    • Slack
    • Webex Notification Integration
    • Webhooks
    • Workday
      • Manual Import (CSV)
      • Report as a Service (RaaS)
  • ☑️Understanding Check failures
    • 🔍Reviewing Check Results
    • 🧹Customizing Checks
    • 📖Cisco Identity Insights
      • Identity Threat Detection Insights
        • A Bypass Code Was Used To Successfully Sign In
        • Access From Dormant Account
        • Accounts With Unusually High Activity
        • Active Account Under Heavy Attack
        • Activity From Untrustworthy ISP
        • Admin Impersonation in Okta
        • Admin Role Assigned to User
        • Allow/Block Email Logins
        • Azure Admin Activity Anomaly
          • Admin Activity Anomaly Insights Explained
        • Code Exfiltration By Guest Account
        • Compromised Session
        • Impossible Travel
        • Inactive Account Probing
        • IP Threat Detected
          • IP Threat Detected In Depth
        • Login to Admin Console
        • MFA Flood
        • New Country for Tenant
        • New IDP Created
        • Okta Admin Activity Anomaly
        • Rare Browser Activity
        • Risky Parallel Sessions
        • Service Account Successful Sign In
        • Shared Mailbox Successful Sign In
        • Sign-in from Recently Created IDP
        • Sign In Threat Detected
        • Successful Access from a Previously Only Failing IP
        • Super Admin Login to Google
        • Suspicious Activity Reported by End User
        • Unusual Repo Access
        • User IP in Blocked State
        • Users With Defined Email Forward Rules
        • Users With New Email Forward Rules
      • Identity Posture Management Insights
        • Access from Denied Countries
        • Application Login Bypasses SSO
        • Applications with Expired Secret
        • HRIS Discrepancy
        • Inactive Guest Users
        • Inactive Users
        • Missing Value in Mandatory Field
        • Never Logged In
        • No MFA Configured
        • Okta Long Running Sessions
        • Okta Session Length Policy Compliance
        • Identity Intelligence Client Secret Expiring Soon
        • Personal VPN Usage
        • Rate Limit Alert
        • Role Assigned to Azure Cloud Only Account
        • Salesforce Direct Login Settings
        • Shared Mailbox Sign In Enabled
        • Slack User Inconsistencies
        • Telecom MFA Limit Reached
        • Unmanaged Devices Access
        • Unused application for a user
        • Upcoming App Key Expiration
        • User Has Directly Assigned Application
        • User in IDP but not in HRIS
        • User Password Expiration Failure
        • User Type Missing
        • Users Sharing Authenticators
        • User Stuck in Non-functional State
        • No strong MFA configured
        • Weak MFA Was Used To Successfully Sign In
  • ⚙️Tenant Settings
    • 👨‍💼Role-based Access (RBAC) and Reviewing Access Logs
  • 🏥Identity Posture Score
  • 🚨User Trust Level
  • How-to Guides
    • 🔐Accessing and Securing your Cisco Identity Intelligence Tenant
    • 🛂Importing Known IP Address Lists
    • 🔎Networks Tab & User Investigations
    • 🔁Okta Workflows Webhook Example
    • 🛠️Triaging Alerts and Remediation Actions
    • 🗃️Understanding HRIS Data and SCIM
    • MFA Factors FAQ
  • Public API
    • APIs
  • Troubleshooting & Support
    • API Permissions for Integrations
    • Responsible Disclosure Policy
    • Systems Logs
  • Best Practices
    • 📚Identity Security Reading List
    • ✍️KPIs for
 IAM Teams
  • Blogs
    • 0ktapus for humans
    • Oort Releases GitHub Integration To Extend Identity Threat Detection
    • Oort Recognized Twice as a Sample Vendor in Gartner® 2023 Hype Cycle Reports™
    • Oort's Response Capabilities: Remediate Compromised Accounts with Just One Click
    • Oort Unveils Dashboard, Providing A Single Pane of Glass for Identities
    • Oort’s New Identity Security Dashboard
    • Oort Unveils Identity Technology Ecosystem, Bringing Identity Data out of Orbit and Into View
    • Oort: Your Security Layer On Top Of Okta
    • Populating the Unpopulated: Challenges of Building a Comprehensive User Inventory
    • Protecting IT Help Desk Teams Against Cyber Attacks
    • Protecting Salesforce Accounts from Takeovers and Ungoverned Access
    • Restrict Guest Access Permissions: Best Practices and Challenges
    • Seizing the Communication Opportunity: Aligning Perspectives in Identity Security
    • Session Hijacking in a Post-Genesis World
    • SIEM vs. Security Data Lake: Why it's Time to Rethink Your Security Program
    • Speaking the Same Language for Identity Security: Identify, Protect, Detect, Respond
    • State of Identity Security research reveals 40% of accounts use weak or no form of multi-factor authentication to protect identities
    • Strengthening Identity Controls: Mapping to CIS CSC and NIST CSF Security Frameworks
    • Strengthening Identity Security with Single Sign-On (SSO) Systems
    • Succeeding with Proper Detection for Identity Security: A Comprehensive Approach
    • Taking a Data-Driven Approach to Identity Security
    • The Concerning Prevalence of Weak Second Factors
    • The Crucial Role of an Identity Security Leader
    • Why I am Joining Oort
    • The Quest for a Passwordless World
    • Understanding Azure Active Directory (Azure AD)
    • Understanding the Implications of New SEC Rules on Cyber Incident Disclosure
    • Unlocking the Power of Zero Trust: The Crucial Role of Identity and Oort's Identity Security Platform
    • Respond Even Quicker to Identity Threats
    • What to Look Out For at Gartner IAM
    • 7 Critical Requirements for Securing Third-Party and Vendor Access
    • Best Practices for Efficiently Responding to Identity Threats
    • Announcing our Identity Technology Partner Ecosystem
    • Catching waves and building clouds
    • Cisco Announces Intent to Acquire Oort
    • CISO Perspectives: Eric Richard, HubSpot
    • Defining Roles & Responsibilities for an Identity Security Program
    • Detecting Session Hijacking
    • 8 Things to Look for in an ITDR Solution
    • Enhancing Identity Threat Detection: Introducing Oort’s New GitHub Integration
    • Founder Perspective: Matt Caulfield On Why He Started Oort
    • Founder Perspective: Vision To Reality
    • Four Reasons Why Traditional SIEMs Fall Short For Identity Security Programs
    • How Oort Partners with Duo for Unbeatable Secure Access
    • Governance, Risk, and Compliance
    • How to Find Inactive Users
    • Identity and Access Management and Oort Explained
    • 5 Identity Security Questions Every IAM Leader Needs to Answer
    • Identity security is bigger than just ITDR
    • Identity is the apex threat vector, so why is identity security still a mess?
    • Identity Threat Detection
    • Identity Threat Detection and Response: what you need to know
    • Identiverse 2023: What I'm Looking Forward to & What Not to Miss
    • Interview with Oort: Best Practices for Managing & Protecting Service Accounts
    • Interview with Alex “Sasha” Zaslavsky (Oort Data Science Lead)
    • Interview with Andy Winiarski (Head of Solutions Engineering)
    • Interview with Nicolas Dard (Oort’s VP of Product Management)
    • Introducing our Latest Integration to Protect Identities in AWS
    • Introducing The 2023 State of Identity Security Report
    • Maintaining a Strong Identity Security Posture: Why IAM Hygiene Matters
    • Managing Machine Identities: A Comprehensive Guide
    • Managing Risk In Shipwreck Diving and Security
    • Monitoring MFA Usage and Adoption: Strengthening Your Security Strategy
    • Okta Breach: Why Attackers Target GitHub, and What You Can Do to Secure It
    • Okta Security
    • Oort and Polarity Combine to Provide Instant Context on Identities
    • Oort + Polarity: Instant Identity Context to Power Investigations and Response
    • Oort Announces $15M in Seed and Series A Funding Round
    • Oort Stacks Go-to-Market Leadership Team Following Series A Investment
    • Oort Extends Identity Threat Detection with New AWS Integration
    • Announcing General Availability of the Oort Identity Analytics & Automation Platform
    • Oort Joins Forces with Microsoft Intelligent Security Association to Bring Visibility into Unmanaged Devices
    • Oort Joins the Microsoft Intelligent Security Association (MISA)
    • Building an Effective Identity Security Program: A Comprehensive Handbook
    • Oort Launches Identity Security Platform in Auth0 Marketplace
    • Oort Launches Identity Security Platform in AWS Marketplace
    • Oort Launches One-Click Remediation Actions for Streamlined Identity Security Response
    • Oort Origins and Our Vision for Identity Security
  • Release Notes
    • Week 22, 2024
    • Week 21, 2024
    • Week 20, 2024
    • Week 19, 2024
    • Week 18, 2024
    • Week 17, 2024
    • Week 16, 2024
    • Week 14, 2024
    • Week 13, 2024
    • Week 11, 2024
    • Week 9, 2024
    • Week 7, 2024
    • Week 5, 2024
    • Week 4, 2024
    • Week 3, 2024
    • Week 2, 2024
    • 2023
      • Week 49, 2023
      • Week 48, 2023
      • Week 47, 2023
      • Week 46, 2023
      • Week 45, 2023
      • Week 44, 2023
      • Week 43, 2023
      • Week 42, 2023
      • Week 41, 2023
      • Week 40, 2023
      • Week 39, 2023
      • Week 38, 2023
      • Week 37, 2023
      • Week 35, 2023
      • Week 34, 2023
      • Week 33, 2023
      • Week 32, 2023
      • Week 31, 2023
      • Week 30, 2023
      • Week 29, 2023
      • Week 28, 2023
      • Week 27, 2023
      • Week 26, 2023
      • Week 25, 2023
      • Week 24, 2023
      • Week 23, 2023
      • Week 22, 2023
      • Week 21, 2023
      • Week 20, 2023
      • Week 19, 2023
      • Week 18, 2023
      • Week 17, 2023
      • Week 16, 2023
      • Week 15, 2023
      • Week 13, 2023
      • Week 12, 2023
      • Week 11, 2023
      • Week 10, 2023
      • Week 9, 2023
      • Week 8, 2023
      • Week 7, 2023
      • Week 6, 2023
      • Week 5, 2023
      • Week 4, 2023
      • Week 3, 2023
      • Week 2, 2023
      • Week 1, 2023
    • 2022
      • Week 51, 2022
      • Week 50, 2022
      • Week 49, 2022
      • Week 48, 2022
      • Week 47, 2022
      • Week 46, 2022
      • Week 43, 2022
      • Week 42, 2022
      • Week 41, 2022
      • Week 38, 2022
      • Week 37, 2022
      • Week 36, 2022
      • Week 35, 2022
      • Week 34, 2022
      • Week 33, 2022
      • Week 32, 2022
      • Week 31, 2022
      • Week 30, 2022
      • Week 29, 2022
      • Week 24, 2022
      • Week 12, 2022
Powered by GitBook
On this page
  • Overview
  • Azure Sentinel Integration - High-level Steps
  • Azure Sentinel Configuration
  • Azure Configuration Summary
  • Oort Tenant Configuration for Sentinel
  • Viewing your Oort logs in Azure Sentinel

Azure Sentinel SIEM Integration

2023.03.23

PreviousAzure Event Hub Log Streaming for Microsoft Entra ID (Azure AD)NextAWS

Last updated 4 months ago

Overview

Oort’s platform can tie into existing Sentinel workflows often used by Security Teams. This document will walk you through the process of setting up the App Registration inside of Azure AD.

For more information, see this short overview video -

Azure Sentinel Integration - High-level Steps

This article follows the Microsoft Azure Sentinel tutorial - Send data to Azure Monitor Logs by using a REST API (Azure Portal).

The following items will be needed to complete the integration inside of the Oort Console:

The sections below go into more detail on each of the steps.

Azure Sentinel Configuration

  1. Configure Azure application registration to authenticate against the API, follow the instructions. Note the Application (client) ID, Directory (tenant) ID and secret value for further setup.

  2. Create data collection endpoint, follow the instructions. Note the Logs ingestion URI for further setup.

  3. Add a custom log table, follow the instructions. Note the table name for further setup and be aware that there is _CL added automatically to the table name. We will need the full name with the _CL suffix.

    1. Save content of this block in a local file or download the sample_data file linked below. NOTE - this step is done outside of the Azure console.

    [{
        "activity": "END_USER__CHECK_FAILED",
        "targetResourceIds": {
                "checkId": "no-mfa",
                "login": "ciuser-noreply+cnt-dev-1661195950711@oort.io",
                "userIds": ["28a8cf1a-9ff8-457c-8049-1dee4caa3177"]
        },
        "lastModified": "2022-11-02T12:28:07.850Z"
}]

  1. Click Browse for files and use the content of the file from the previous step for that purpose. 

  2. source
| extend TimeGenerated = todatetime(['lastModified'])
| project-rename activityDate = lastModified

  4. To collect information from data collection rule (DCR), follow the instructions. Note immutableId for further setup.

Azure Configuration Summary

After the setup above, you will have the following components in your Azure tenant. These objects will be used to setup a corresponding Sentinel SIEM integration in Oort:

  • App registration (client ID, client secret, tenant ID)

  • Logs Ingestion Endpoint URI from the data collection endpoint (DCE) to receive data over HTTP

  • Data collection rule (DCR) immutable Id

  • Custom table name in Log Analytics workspace (including the _CL suffix)

Oort Tenant Configuration for Sentinel

Within your Oort console, follow these steps to configure your Sentinel integration.

    1. Name - for display purposes only

    2. Description (optional)

    3. Azure directory (tenant) ID

    4. App (client) ID

    5. App (client) secret

    6. Logs Ingestion Endpoint URI - this is a property of the data collection endpoint (DCE) created above

    7. Custom log table name

    8. DCR Immutable ID - this is found in the JSON View of the DCR

  3. Click Save

Viewing your Oort logs in Azure Sentinel

By default, your Oort tenant will send all new Check failures for all checks to your Azure Sentinel custom table once every 24 hours.

To calculate any new check failures since the last data collection and analysis, you may want to do the following:

To view your logs in Azure Sentinel, do the following -

  1. Navigate to your Azure Sentinel instance that contains the configuration you created for this integration.

  2. Select Logs in the left nav pane.

  4. The Results will show the most recent check failures from your Oort tenant.

After clicking Next, the next step is to parse and filter a sample data set. In the Schema and transformation screen, review the Microsoft instructions as a reference and then complete the process using the data and steps below. Do not use the sample data and transform code provided in the Microsoft article. Use the the steps below.

Data from the sample file is displayed with a warning that a TimeGenerated is not in the data. Click Transformation editor to open the transformation and paste content of the below block (note that source is already present in the editor UI):

Click Run to view the results, click Apply to save the transformation, Next to get to the Review tab, and click Create to save the custom log.

Next to assign permissions to the DCR, follow the instructions. In the end, you will see your App Registration as a Monitoring Metrics Publisher under the Role Assignments tab.

On the Integrations page, click Add Integration and scroll to the bottom of the page to select Azure Sentinel.

Enter the information collected as shown below -

On the Integrations page, click the 3-dot menu for the Sentinel integration and select Test Connectivity.

From the Integrations page, manually run collection from your Azure data integration using the Collect Now option.

After that completes, from the Checks page, select Run Checks Now

Under Queries, run a new query with the name of the custom table created for this purpose.

Expand individual rows of the results table to see details for each item.

Page cover image
330B
Sentinel_sample_data_Oort.json
SIEM Integration - Azure Sentinel
SIEM Integration - Azure Sentinel