Sentinel Incident integration and Log Analytics Logging with Zero Trust Alerts

• Ransomware Defender & Easy Auditor Sentinel Webhook alarm to Incident Integration
• Support Statement
• Overview
• How to Configure Sentinel Logic App Webhook endpoint Workflow
• How to configure Zero Trust Webhooks using the Logic App endpoint URL
• How to Verify log alarm data has reached the Sentinel Log Service
• How to Create an Sentinel Analytics Rule to create Security Incidents
• A Sentinel Sample incident created by Superna Defender Zero trust webhook and Logic app in Azure

Ransomware Defender & Easy Auditor Sentinel Webhook alarm to Incident Integration

 Support Statement

1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Overview

This integration enables customers to send Zero Trust alerts directly into Sentinel

How to Configure Sentinel Logic App Webhook endpoint Workflow

1. This example uses Azure Sentinel Deployment option and record the workspace ID and primary key of the lag Analytics configured for use with your Sentinel Deployment.
2. 
3. Create a Logic App with HTTP trigger to send log data to Sentinel
   1.  
   2. The app name should be descriptive.  Create the logic app with all the defaults.
   3. Once crated click go to resource
   4. Click the Workflows tab
      1. 
      2. Create a new workflow by clicking Add and then select the designer option
      3.  
      4. Click add Trigger
      5. 
      6. Search for HTTP and select the http request option
      7.  
      8. Now add another step to the workflow to send incoming webhook data to Sentinel log analytics data collector.  Click the + sign
      9.  
      10. Search for "Azure Log" and select the Azure Log Analytics Data Collector "Send Data"
      11.   
      12. Click in the json Request Body Field and click the lighting bolt that appears and select the Body option as shown below.
      13. 
      14.  Now enter a name for the collector.  NOTE: This name will be the name of the log table created in Sentinel Custom logs section.
      15.  
      16. Configuration is not completed.
      17. To generate the endpoint URL for your Logic app click the save button on the workflow.
      18. Now click on the workflow name to record the endpoint URL that will be used within Defender Zero Trust interface configuration.
      19. 
      20. Use the click to copy option and record this url for the steps below.
      21. done 

How to configure Zero Trust Webhooks using the Logic App endpoint URL

1. The next step creates an Zero Trust Webhook URL.    
   
   1. Configure Zero Trust endpoint in Ransomware Defender Zero Trust tab.
      1. Recommended Configuration: Only Critical and Major events and only the webhooks that set lockout or delayed lockout.   Customers can customize based on specific requirements. The goal is to send findings versus a list of alarms that do not pinpoint a security incident.
      2.  
      3. The endpoint url above will the Logic App workflow URL from the steps above and will send Webhooks to the application service listening on port 443.  
         1. Add the Content-Type header with value of application/json as shown above to complete the webhook configuration.
         2. Click save to commit the configuration.
         3. Click save on the main Webhook configuration page
2. Test the configuration by clicking the Test Webhooks button.  Verify that no error message is returned.

How to Verify log alarm data has  reached the Sentinel Log Service 

1. Login to Azure and locate the Data log workspace attached to your Sentinel installation.
2.  
3. Select the Logs menu
4. Expand the Custom Logs menu
5.  
6. If you successfully sent alarm data with the test function the Log table will be created automatically using the name configured in the Logic app.
7. Double click the table name to add it to the query 
8. Click the run button to exeucte the query
9.  
10. The results will show each alarm sent from Defender Webhook including the test webhook.
11. 
12. Expand an entry to see the payload of the alarm and all the Zero Trust fields included in the alarm data, example list of files, AD user name, smb share list etc..
13. 
14. Done

How to Create an Sentinel Analytics Rule to create Security Incidents

1. Overview
   1. This procedure will create an analytics rule that uses the log data sent from Webhooks to create a security incident with customer data displayed from the log data sent by Defender.   This is a single example on how to create an Incident trigger and can be duplicated for more advanced configurations.
2. Using the same log query interface from the step above run.
3. Build a query as follows:
   1. The query string below assumes the log table name is zerotrustdefender_CL.  This will search the log table for critical alerts with a status of lockout.   This example shows how you can create triggers using any of the available fields in the Zero Trust alarm data.  Query String example below. 
   2. zerotrustdefender_CL | where severity_s contains "CRITICAL" and state_s contains "LOCKED_OUT" 
   3. Run the query, You may not have any critical log entries in the table.   Select the option to create a Sentinel 
   4. 
   5. Complete the fields to create the trigger 
4.   
5. Set the Tactics and Techniques as follows
6.   
7. To Expose rich alarm data within the Sentinel Incident add custom key value pairs and map them to the field names in the log data.  This example uses best practice fields to show in a security alert. NOTE: The key value names can be any label name you wish to display in the Incident.  
8.   
9. To configure a response critical alert trigger, we suggest using the minimum values of 5 minute log scan and search for data within the last 5 minutes.
10. 
11. We recommend setting the grouping alerts option 
12. 
13. Configure any playbooks or additional triggers that you want to run each time a Critical alert is recived.
14.   
15. Click create on the final screen to create the analytics rule.
16. To view or edit the analytics rule you can click Analytics under the Configuration section.
17. 
    
18. 
19. Repeat the rule creation to create rules for additional scenario's  
20. To test this rule you will need to create a test Critical detection in defender.   You can create a test detection using any mounted SMB share and creating banned files with notepad.  Example .locky extension files will create a detection after you create more than the critical threshold in the settings tab in Defender.   This is defaulted to 80 files.     Create enough files to trigger a detection.
21. After the files are created monitor the active events in Defender GUI, once the Critical lockout is completed.  You can now use the steps above to verify the webhook data has reached the custom log managed by the Logic application.
22. The analytics rule should trigger every 5 minutes and locate any events with severity set to Critical and state of locked out to create the incident.
23. done.

A Sentinel Sample incident created by Superna Defender Zero trust webhook and Logic app in Azure

1. You can see the example alert is craeted with custom data from the log displayed for Security Operations staff to investigate.
2.   
3. The alert grouping will ensure that multiple alerts will be grouped, this can be seen below with 7 events (log entries) and 2 different incidents.
4.  
5. done