Skip to content

splunk-soar-connectors/mssentinel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.github/workflows
.github/workflows
 
 
release_notes
release_notes
 
 
wheels
wheels
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
__init__.py
__init__.py
 
 
exclude_files.txt
exclude_files.txt
 
 
logo_mssentinel.svg
logo_mssentinel.svg
 
 
logo_mssentinel_dark.svg
logo_mssentinel_dark.svg
 
 
manual_readme_content.md
manual_readme_content.md
 
 
mssentinel.json
mssentinel.json
 
 
mssentinel_connector.py
mssentinel_connector.py
 
 
mssentinel_consts.py
mssentinel_consts.py
 
 
mssentinel_get_incident_alerts.html
mssentinel_get_incident_alerts.html
 
 
mssentinel_get_incident_entities.html
mssentinel_get_incident_entities.html
 
 
mssentinel_list_incidents.html
mssentinel_list_incidents.html
 
 
mssentinel_run_query.html
mssentinel_run_query.html
 
 
mssentinel_view.py
mssentinel_view.py
 
 
requirements.txt
requirements.txt
 
 
rest.http
rest.http
 
 
tox.ini
tox.ini
 
 

Repository files navigation

Sentinel

Publisher: Splunk Community
Connector Version: 1.0.1
Product Vendor: Microsoft
Product Name: Sentinel
Product Version Supported (regex): ".*"
Minimum Product Version: 5.3.4

This app provides integration with Microsoft Sentinel

Setup

Azure Configuration

Create an App Registration

In order to configure the Sentinel app, a new App Registration in the Azure Portal is required. Please refer to Register an Application for further guidance.

The Sentinel SOAR App uses the client-credentials flow to authenticate against Azure. Under your created App registration, in Certificates & Secrets, create a new Client Secret. Save the secret value for later use during asset configuration.

Assign required Permissions to the App Registration

Under your subscription, select the Add role assignment context menu and assign the Azure Sentinel Contributor role to your registered app.

SOAR Configuration

When creating your SOAR asset, enter the Application ID as Client ID and the saved secret value as Client Secret .

In order to connect to your Sentinel environment, the Tenant ID , Subscription ID , Workspace Name , Workspace ID , Resource Group fields are required. They can be found inside of the Azure Portal. Fields related to polling are optional.

In order to retrieve the Workspace ID, navigate to your Sentinel Settings -> Workspace Settings

Usage

How Sentinel handles identifiers

Actions like get incident take an incident name input parameter. This can be captured from the Sentinel API or Web UI, but it's not to be confused with the Incident Number or the Title. The Incident Name is the last component of the link to the incident that can be reviewed in Sentinel. For example, the Incident Name corresponding to

      https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/dx582xwx-4x28-4f8d-9ded-9b0xd2803739/resourceGroups/demomachine_group/providers/Microsoft.OperationalInsights/workspaces/customworkspace/providers/Microsoft.SecurityInsights/Incidents/80289647-8743-4x67-87xx-9409x59xxxxx

is simply 80289647-8743-4a67-87db-9409e597b0db

Run Query

Timerange

The timerange parameter expects a ISO 8061 duration. Please find some commonly used values below

  • Last 7 days : P7D
  • Last 24 hours : P1D
  • Last 24 hours : P1D
  • Last 30 minutes: : PT30M

Post-Processing

The run query action will perform light post-processing of the raw results from Sentinel to ease the use of data within SOAR. Notable, it will aggregate all returned tables in a single result set and set the SentinelTableName property on the individual objects. Most of the time, there will only be a PrimaryResult table returned.

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Sentinel asset in SOAR.

VARIABLE REQUIRED TYPE DESCRIPTION
tenant_id required string Tenant ID (e.g. 1e309abf-db6c-XXXX-a1d2-XXXXXXXXXXXX)
subscription_id required string The ID of the target subscription
resource_group_name required string The name of the resource group. The name is case insensitive
workspace_name required string The name of the workspace
workspace_id required string The id of the workspace
client_id required string Application (client) ID assigned to your Graph Security API app
client_secret required password Client Secret
first_run_max_incidents optional numeric Maximum Incidents for scheduled polling first time
start_time_scheduled_poll optional string Start Time for Schedule/Manual POLL (Use this format: 1970-01-01T00:00:00Z)

Supported Actions

test connectivity - Validate the asset configuration for connectivity
on poll - Callback action for the on_poll ingest functionality
get incident - Gets a given incident
get incident entities - Gets all entities for an incident
get incident alerts - Gets all alerts for an incident
list incidents - Gets all incidents
update incident - Updates an existing incident
add incident comment - Creates a new incident comment
run query - Queries the Sentinel Log Analytics workspace for data using KQL

action: 'test connectivity'

Validate the asset configuration for connectivity

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'on poll'

Callback action for the on_poll ingest functionality

Type: ingest
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
container_count optional Number of events to generate numeric
artifact_count optional Number of artifacts to generate per event numeric

Action Output

No Output

action: 'get incident'

Gets a given incident

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident_name required Incident Name string

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.incident_name string
action_result.data.*.etag string
action_result.data.*.id string
action_result.data.*.name string mssentinel incident name
action_result.data.*.properties.additionalData.alertsCount numeric
action_result.data.*.properties.additionalData.bookmarksCount numeric
action_result.data.*.properties.additionalData.commentsCount numeric
action_result.data.*.properties.createdTimeUtc string
action_result.data.*.properties.incidentNumber numeric
action_result.data.*.properties.incidentUrl string
action_result.data.*.properties.labels.*.labelName string
action_result.data.*.properties.labels.*.labelType string
action_result.data.*.properties.lastModifiedTimeUtc string
action_result.data.*.properties.owner.assignedTo string
action_result.data.*.properties.owner.email string
action_result.data.*.properties.owner.objectId string
action_result.data.*.properties.owner.userPrincipalName string
action_result.data.*.properties.severity string
action_result.data.*.properties.status string
action_result.data.*.properties.title string
action_result.data.*.type string
action_result.summary.incident_id string mssentinel incident id
action_result.summary.incident_name string mssentinel incident name
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get incident entities'

Gets all entities for an incident

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident_name required Incident Name string mssentinel incident name

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.incident_name string
action_result.data.entities.*.id string
action_result.data.entities.*.kind string
action_result.data.entities.*.kind string
action_result.data.entities.*.name string
action_result.summary.total_entities string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'get incident alerts'

Gets all alerts for an incident

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident_name required Incident Name string mssentinel incident name

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.incident_name string
action_result.data.*.id string mssentinel alert id
action_result.data.*.kind string
action_result.data.*.name string
action_result.data.*.properties.alertDisplayName string
action_result.data.*.properties.confidenceLevel string
action_result.data.*.properties.endTimeUtc string
action_result.data.*.properties.friendlyName string
action_result.data.*.properties.processingEndTime string
action_result.data.*.properties.severity string
action_result.data.*.properties.startTimeUtc string
action_result.data.*.properties.status string
action_result.data.*.properties.systemAlertId string
action_result.data.*.properties.timeGenerated string
action_result.data.*.properties.vendorName string
action_result.data.*.type string
action_result.summary.total_alerts numeric
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'list incidents'

Gets all incidents

Type: investigate
Read only: True

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
limit required Maximum number of incidents to list numeric
filter optional Filters the results, based on a Boolean condition string

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.filter string
action_result.parameter.limit numeric
action_result.data.*.etag string
action_result.data.*.id string
action_result.data.*.name string mssentinel incident id
action_result.data.*.properties.additionalData.alertsCount numeric
action_result.data.*.properties.additionalData.bookmarksCount numeric
action_result.data.*.properties.additionalData.commentsCount numeric
action_result.data.*.properties.createdTimeUtc string
action_result.data.*.properties.incidentNumber numeric
action_result.data.*.properties.incidentUrl string
action_result.data.*.properties.labels.*.labelName string
action_result.data.*.properties.labels.*.labelType string
action_result.data.*.properties.lastModifiedTimeUtc string
action_result.data.*.properties.owner.assignedTo string
action_result.data.*.properties.owner.email string
action_result.data.*.properties.owner.objectId string
action_result.data.*.properties.owner.userPrincipalName string
action_result.data.*.properties.severity string
action_result.data.*.properties.status string
action_result.data.*.properties.title string
action_result.data.*.type string
action_result.summary.total_incidents numeric
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'update incident'

Updates an existing incident

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident_name required Incident Name string
severity optional Updated severity of the incident string
status optional Updated status of the incident string
title optional Updated title of the incident string
description optional Updated description of the incident string
owner_upn optional Updated owner (userPrincipalName) string
classification optional The reason the incident was closed. Only updated when status is updated to Closed string
classification_comment optional Describes the reason the incident was closed. Only updated when status is updated to Closed string
classification_reason optional The classification reason the incident was closed with. Only updated when status is updated to Closed string

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.classification string
action_result.parameter.classification_comment string
action_result.parameter.classification_reason string
action_result.parameter.description string
action_result.parameter.incident_name string
action_result.parameter.owner_upn string
action_result.parameter.severity string
action_result.parameter.status string
action_result.parameter.title string
action_result.data.*.etag string
action_result.data.*.id string
action_result.data.*.name string mssentinel incident name
action_result.data.*.properties.additionalData.alertsCount numeric
action_result.data.*.properties.additionalData.bookmarksCount numeric
action_result.data.*.properties.additionalData.commentsCount numeric
action_result.data.*.properties.createdTimeUtc string
action_result.data.*.properties.incidentNumber numeric
action_result.data.*.properties.incidentUrl string
action_result.data.*.properties.labels.*.labelName string
action_result.data.*.properties.labels.*.labelType string
action_result.data.*.properties.lastModifiedTimeUtc string
action_result.data.*.properties.owner.assignedTo string
action_result.data.*.properties.owner.email string
action_result.data.*.properties.owner.objectId string
action_result.data.*.properties.owner.userPrincipalName string
action_result.data.*.properties.severity string
action_result.data.*.properties.status string
action_result.data.*.properties.title string
action_result.data.*.type string
action_result.summary.incident_id string mssentinel incident id
action_result.summary.incident_name string mssentinel incident name
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'add incident comment'

Creates a new incident comment

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
incident_name required Incident Name string
message required The comment message string

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.parameter.incident_name string
action_result.parameter.message string
action_result.data.*.id string
action_result.data.*.name string
action_result.data.*.properties.author.email string
action_result.data.*.properties.author.name string
action_result.data.*.properties.author.objectId string
action_result.data.*.properties.author.userPrincipalName string
action_result.data.*.properties.createdTimeUtc string
action_result.data.*.properties.lastModifiedTimeUtc string
action_result.data.*.properties.message string
action_result.data.*.type string
action_result.summary string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

action: 'run query'

Queries the Sentinel Log Analytics workspace for data using KQL

Type: generic
Read only: False

Action Parameters

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
query required Query in KQL (for example, "SecurityIncident" will retrieve the Sentinel incidents table) string
timespan optional Time Interval in ISO 8601 Duration format. For example, "P7D" for last 7 days or an interval like "2007-03-01T13:00:00Z/2008-05-11T15:30:00Z" string
max_rows required Maximum number of rows to return in the result. Defaults to 3000 numeric

Action Output

DATA PATH TYPE CONTAINS
action_result.status string
action_result.status string
action_result.parameter.max_rows numeric
action_result.parameter.query string
action_result.parameter.timespan string
action_result.data.*.TimeGenerated string
action_result.summary.total_rows numeric
action_result.message string
action_result.message string
summary.total_objects numeric
summary.total_objects_successful numeric

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

1.0.1 Latest
Oct 25, 2022

Packages

 
 
 

Contributors 4

  •  
  •  
  •  
  •  

Languages