Microsoft Sentinel is the azure cloud native SIEM solution that helps in threat detection and response in the Azure environment. To enable Sentinel, one has to create the Microsoft Sentinel and the workspace. To start data ingestion from various services, data connectors can be added.
Microsoft Sentinel creates incidents which is triggered by group of alerts that is a possible threat and can be resolved based on the alerts.
Sample test incident is shown below.
Netwitness has integrated with Microsoft Sentinel Incidents via MSAzureGraph plugin.
Even though the Microsoft Sentinel Incidents can be pulled by MSAzureGraph plugin, It does not use the graph API. It uses Azure Incident Rest API . We use the MSAzuregraph plugin because it accommodates any Azure API URL that can be queried with start time and end time.
The URL we use for getting Sentinel Incidents is :
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2023-02-01&$filter=properties/lastModifiedTimeUtc ge {starttime} and properties/lastModifiedTimeUtc le {endtime}&$orderby=properties/lastModifiedTimeUtc
Integration Model:
To take advantage of this new capability within RSA NetWitness, please visit the link below and search for the terms below in RSA Live.
Configuration Guide: Azure Sentinel Incidents
Collector Package on RSA Live: "Log Collector configuration content for event source MS Azure Graph"
Parser on RSA Live: azure
API Reference:
2 Comments
