Video - Integrating Sentinel with Third-Party SIEM Using Private Connections
Recently, I published on GitHub the JSON template of a Logic App designed for quickly integrating Sentinel with any third-party SIEM in a side-by-side configuration. Specifically, this Logic App can be launched manually or automatically as a Playbook in Sentinel. It sends to Event Hub the JSON representation of an incident retrieved from Sentinel, including all the details of the incident's alerts and related identities. This implementation configures the Logic App to run in the 'Consumption Plan,' which is typically the easiest and most cost-effective model for Logic Apps deployment. I documenteted the implementation and referenced the template in the following article: A simple Logic App to export Sentinel incidents in Event Hub.
A few days ago, I was asked to apply the same integration approach in a scenario where, for compliance with internal security policies, the Event Hub cannot expose public endpoints. So far, I haven't had time to extract another JSON template of this new implementation, but in this video, I show all the details of how I made the requested configuration in my lab environment. Not only did I configure the Event Hub to accept only connections on a Private Endpoint, but I also ensured that the Logic App and its backend Storage Account do not accept connections from the public Internet.
The video shows also a full demo of an incident - with its alerts and entities - sent from Sentinel to Splunk.
The video
You can watch the video from here:
Chapters:
领英推荐
I hope this content helps you better understand how to make a similar configuration.
Notes, references, corrections and updates related to the video
Here, I am listing - and will possibly add in the future - notes, corrections and updates that I understand to be required with respect to the content of the video.
setProperty(variables('OriginalIncident')['object'],'unifiedIncidentUrl',concat('https://security.microsoft.com/incident2/',variables('OriginalIncident')['object']['properties']['providerIncidentId'],'/overview'))
{
"type": "object",
"properties": {
"headers": {
"type": "object",
"properties": {
"Accept-Encoding": {
"type": "string"
},
"Host": {
"type": "string"
},
"Max-Forwards": {
"type": "string"
},
"Correlation-Context": {
"type": "string"
},
"traceparent": {
"type": "string"
},
"x-ms-client-tracking-id": {
"type": "string"
},
"x-ms-correlation-request-id": {
"type": "string"
},
"x-ms-forward-internal-correlation-id": {
"type": "string"
},
"X-ARR-LOG-ID": {
"type": "string"
},
"CLIENT-IP": {
"type": "string"
},
"DISGUISED-HOST": {
"type": "string"
},
"X-SITE-DEPLOYMENT-ID": {
"type": "string"
},
"WAS-DEFAULT-HOSTNAME": {
"type": "string"
},
"X-Forwarded-Proto": {
"type": "string"
},
"X-AppService-Proto": {
"type": "string"
},
"X-ARR-SSL": {
"type": "string"
},
"X-Forwarded-TlsVersion": {
"type": "string"
},
"X-Forwarded-For": {
"type": "string"
},
"X-Original-URL": {
"type": "string"
},
"X-WAWS-Unencoded-URL": {
"type": "string"
},
"Content-Length": {
"type": "string"
},
"Content-Type": {
"type": "string"
}
}
},
"body": {
"type": "object",
"properties": {
"eventUniqueId": {
"type": "string"
},
"objectSchemaType": {
"type": "string"
},
"objectEventType": {
"type": "string"
},
"workspaceInfo": {
"type": "object",
"properties": {
"SubscriptionId": {
"type": "string"
},
"ResourceGroupName": {
"type": "string"
},
"WorkspaceName": {
"type": "string"
}
}
},
"workspaceId": {
"type": "string"
},
"object": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"etag": {
"type": "string"
},
"type": {
"type": "string"
},
"properties": {
"type": "object",
"properties": {
"title": {
"type": "string"
},
"severity": {
"type": "string"
},
"status": {
"type": "string"
},
"owner": {
"type": "object",
"properties": {
"objectId": {},
"email": {},
"assignedTo": {},
"userPrincipalName": {}
}
},
"labels": {
"type": "array"
},
"firstActivityTimeUtc": {
"type": "string"
},
"lastActivityTimeUtc": {
"type": "string"
},
"lastModifiedTimeUtc": {
"type": "string"
},
"createdTimeUtc": {
"type": "string"
},
"incidentNumber": {
"type": "integer"
},
"additionalData": {
"type": "object",
"properties": {
"alertsCount": {
"type": "integer"
},
"bookmarksCount": {
"type": "integer"
},
"commentsCount": {
"type": "integer"
},
"alertProductNames": {
"type": "array",
"items": {
"type": "string"
}
},
"tactics": {
"type": "array",
"items": {
"type": "string"
}
},
"techniques": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"relatedAnalyticRuleIds": {
"type": "array",
"items": {
"type": "string"
}
},
"incidentUrl": {
"type": "string"
},
"providerName": {
"type": "string"
},
"providerIncidentId": {
"type": "string"
},
"alerts": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"kind": {
"type": "string"
},
"properties": {
"type": "object",
"properties": {
"systemAlertId": {
"type": "string"
},
"tactics": {
"type": "array",
"items": {
"type": "string"
}
},
"alertDisplayName": {
"type": "string"
},
"description": {
"type": "string"
},
"confidenceLevel": {
"type": "string"
},
"severity": {
"type": "string"
},
"vendorName": {
"type": "string"
},
"productName": {
"type": "string"
},
"productComponentName": {
"type": "string"
},
"alertType": {
"type": "string"
},
"processingEndTime": {
"type": "string"
},
"status": {
"type": "string"
},
"endTimeUtc": {
"type": "string"
},
"startTimeUtc": {
"type": "string"
},
"timeGenerated": {
"type": "string"
},
"providerAlertId": {
"type": "string"
},
"resourceIdentifiers": {
"type": "array",
"items": {
"type": "object",
"properties": {
"type": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"required": [
"type",
"workspaceId"
]
}
},
"additionalData": {
"type": "object",
"properties": {
"ProcessedBySentinel": {
"type": "string"
},
"Alert generation status": {
"type": "string"
},
"Query Period": {
"type": "string"
},
"Trigger Operator": {
"type": "string"
},
"Trigger Threshold": {
"type": "string"
},
"Correlation Id": {
"type": "string"
},
"Analytics Template Id": {
"type": "string"
},
"Search Query Results Overall Count": {
"type": "string"
},
"Data Sources": {
"type": "string"
},
"Query": {
"type": "string"
},
"Query Start Time UTC": {
"type": "string"
},
"Query End Time UTC": {
"type": "string"
},
"Analytic Rule Ids": {
"type": "string"
},
"Event Grouping": {
"type": "string"
},
"Analytic Rule Name": {
"type": "string"
}
}
},
"friendlyName": {
"type": "string"
}
}
}
},
"required": [
"id",
"name",
"type",
"kind",
"properties"
]
}
},
"bookmarks": {
"type": "array"
},
"relatedEntities": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"type": {
"type": "string"
},
"kind": {
"type": "string"
},
"properties": {
"type": "object",
"properties": {
"accountName": {
"type": "string"
},
"upnSuffix": {
"type": "string"
},
"aadTenantId": {
"type": "string"
},
"aadUserId": {
"type": "string"
},
"isDomainJoined": {
"type": "boolean"
},
"displayName": {
"type": "string"
},
"additionalData": {
"type": "object",
"properties": {
"Sources": {
"type": "string"
},
"GivenName": {
"type": "string"
},
"IsDeleted": {
"type": "string"
},
"IsEnabled": {
"type": "string"
},
"Surname": {
"type": "string"
},
"TransitiveDirectoryRoles": {
"type": "string"
},
"UserType": {
"type": "string"
},
"UpnName": {
"type": "string"
},
"SyncFromAad": {
"type": "string"
},
"Country": {
"type": "string"
},
"MailAddress": {
"type": "string"
},
"PhoneNumber": {
"type": "string"
},
"AdditionalMailAddresses": {
"type": "string"
}
}
},
"friendlyName": {
"type": "string"
}
}
}
},
"required": [
"id",
"name",
"type",
"kind",
"properties"
]
}
},
"comments": {
"type": "array"
}
}
}
}
}
}
}
}
}
Cyber Security Architect | Security Enthusiast & Advisor| Mentor| International Customer Success(iCSU) Microsoft, EMEA
4 个月Very useful! Thanks for sharing.
Security and Compliance Technical Specialist presso Microsoft
4 个月Thanks for sharing
Cloud Consultant@EPAM
4 个月Very informative