IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Microsoft Azure Sentinel for IBM SOAR Not working

  • 1.  Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Wed November 08, 2023 06:25 AM

    Hello There, 
    Was integrating the App, am able to get the Sentinel incidents to SOAR using the default incident_create_template.jinja. But the problem is, unable to get the most of the fields using the template. Feel like something is wrong and need your help to understand the problem. 

    The logs shows there is an issue with the JSON, please see below. 

    Invalid JSON result: {  "name": "Sentinel Incident 164292 - NRT User added to Azure Active Directory Privileged Groups", "discovered_date": 1699428538000, "start_date":  1699428166000 , "description": { "format": "text", "content": "This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" },   "plan_status": "A", "severity_code": "Medium", "properties": { "sentinel_incident_number": "***", "sentinel_incident_id": "***", "sentinel_incident_status": "***", "sentinel_incident_url": "***'blank' href='https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/67a2e300-52b5-4021-a513-dc7f202cb569/resourceGroups/bnlwe-p-fs-sentinel-rg/providers/Microsoft.OperationalInsights/workspaces/bnlwe-fs02-p-la-01/providers/Microsoft.SecurityInsights/Incidents/117187b6-899d-495d-ac43-1535aec591de'>Sentinel Incident</a>", "sentinel_incident_classification": "***"sentinel_incident_classification_reason": "***"sentinel_incident_classification_comment": "***"sentinel_incident_assigned_to": "***", "sentinel_incident_labels": "***"sentinel_incident_tactics": "***", "sentinel_profile": "unilever" "affected_deviceapplicationwebsite" : "other", "asset_type" : "Unknown", "business_type" : "Internal", "category" : "Others", "channel" : "Reporting Device", "mco" : "Global", "mitre_tactics" : "NA", "priority" : "P3", "reporting_device" : "Other", "tag" : "NA" }  }

    Most of the fields are coming as blank or ***** which I am feeling as a problem. If I remove the below section from the template then it works but it is of no use to the integration. 

    "properties": {
    "sentinel_incident_number": "{{ name|e }}",
    "sentinel_incident_id": "{{ properties.incidentNumber }}",
    "sentinel_incident_status": "{{ properties.status }}",
    "sentinel_incident_url": "<a target='blank' href='{{ properties.incidentUrl
    }}'>Sentinel Incident</a>",
    "sentinel_incident_classification": "{{ properties.classification }}",
    "sentinel_incident_classification_reason": "{{ properties.classificationReason }}",
    "sentinel_incident_classification_comment": "{{
    properties.classificationComment|replace('"', '\"') }}",
    "sentinel_incident_assigned_to": "{{ properties.owner.assignedTo }}",
    "sentinel_incident_labels": "{{ properties.labels|join(' ') }}",
    "sentinel_incident_tactics": "{{ properties.additionalData.tactics|join(' ') }}",



    ------------------------------
    S Joshi
    SOAR Admin
    ------------------------------


  • 2.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Thu November 09, 2023 08:46 AM

    Hi Srinivas,

    The stars '***' you see in the logs are part of obfuscation logic we have to hide sensitive IDs. We are updating this logic in a newer version of resilient-circuits as it hides too much information.

    The section of the template you show looks good, but try a couple of things:

    • change `|replace('"', '\"')` to `| safe`. This logic will do the same escaping of double quotes
    • make sure the last key/value pair does not have a trailing comma. Some json parsers will return an error when that is encountered

    Hope this helps.



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Tue November 14, 2023 12:56 AM

    Hello Mark, 

    Thanks for the inputs, it works just fine now. 

    Wanted to understand, is it possible to pull only the Incidents based on the product name, Like if the Sentinel incident is having product name as "Microsoft Sentinel" Only these incidents has to be pushed to SOAR. 

    As we have new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium","Low"]



    ------------------------------
    Srinivas Joshi
    ------------------------------



  • 4.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Tue November 14, 2023 08:06 AM

    Hi Srinivas,

    Try a filter with the name "providerName":

    new_incident_filters: "providerName": ["Microsoft Sentinel", "Azure Sentinel"]

    That field is part of an incident, but I can't tell from the API docs if it's a filter. I also see a different reference to "Microsoft Sentinel", "Azure Sentinel", in the example response. So, try both.

    https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2023-02-01&tabs=HTTP



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 5.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Tue November 14, 2023 08:21 AM

    Hello Mark,

    I used the below, but seems like it pulled everything was in the queue. Let me try adding only one at a time and see if it works. 

    Correct me if I am wrong, in the below filter, we should get the incidents only with Status, Severity and Provider Name. 

    new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "providerName": ["Microsoft Sentinel"]



    ------------------------------
    Srinivas Joshi
    ------------------------------



  • 6.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Tue November 14, 2023 08:51 AM

    Srinivas,

    Your syntax looks correct, I would add in "Azure Sentinel" to list: "providerName": ["Microsoft Sentinel", "Azure Sentinel"].  

    I'm seeing some notes that the syntax for that field may be: "properties/providerName". Sorry for not being specific as I don't have an environment spun up at the moment.

    Regards,



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 7.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Wed November 15, 2023 09:47 PM

    Hello Mark, 

    Tried with different ways, but unable to achieve what is needed. Attaching the sample API Response here if it can help, as I have a environment set up. 

    new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "properties.additionalData.alertProductNames": ["Azure Sentinel"]

    new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "properties.providerName": ["Azure Sentinel"]

    Both did not work. Am I missing something, Not sure. 

    Response API for a single incident is as below. 



    ------------------------------
    Srinivas Joshi
    ------------------------------



  • 8.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Wed November 15, 2023 09:49 PM
    "id": "/subscriptions/67a2e300-52b5-4xxxxxxxxx021-a513-/resourceGroups/bnlxxxxxxxxl-rg/providers/Microsoft.OperationalInsights/workspaces/bnlwe-fsxxxxxxxxproviders/Microsoft.SecurityInsights/Incidents/cd3e3e26-321c-4dd8-a04a-3cc24fc0dbe6",
        "name": "cd3e3e26-321c-4xxxxxxxcc24fc0dbe6",
        "etag": "\"8b00807e-000xxxxxxx000-6554548b0000\"",
        "type": "Microsoft.SecurityInsights/Incidents",
        "properties": {
            "title": "DLP policy (ubject ([External] -  report)",
            "severity": "Low",
            "status": "New",
            "owner": {
                "objectId": null,
                "email": null,
                "assignedTo": null,
                "userPrincipalName": null
            },
            "labels": [],
            "firstActivityTimeUtc": "2023-11-15T05:06:00Z",
            "lastActivityTimeUtc": "2023-11-15T05:07:00Z",
            "lastModifiedTimeUtc": "2023-11-15T05:12:22.12Z",
            "createdTimeUtc": "2023-11-15T05:12:22.08Z",
            "incidentNumber": 176362,
            "additionalData": {
                "alertsCount": 1,
                "bookmarksCount": 0,
                "commentsCount": 0,
                "alertProductNames": [
                    "Microsoft Data Loss Prevention"
                ],
                "tactics": [
                    "Exfiltration"
                ],
                "providerIncidentUrl": "https://security.microsoft.com/incidents/1395328?tid=f66xxxxxxxx8a6ff9f8e6e"
            },
            "relatedAnalyticRuleIds": [],
            "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/67xxxxxxxxx-dc7f202cb569/resourceGroups/bnlxxxxxxxtinel-rg/providers/Microsoft.OperationalInsights/workspaces/bnlxxxxxxxxxxx-01/providers/Microsoft.SecurityInsights/Incidents/cd3e3e26-321c-4dd8-a04a-3cc24fc0dbe6",
            "providerName": "Microsoft 365 Defender",
            "providerIncidentId": "1395328"
        }
    }


    ------------------------------
    Srinivas Joshi
    ------------------------------



  • 9.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Thu November 16, 2023 08:20 AM

    I checked the code and the correct field specification is 'providerName', not 'properties.providerName'. I tested this filter set against your sample and it worked correctly:

    "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "providerName": ["Microsoft 365 Defender"]
    I think the only item in question is what value is correct for providerName? It seems you tested 'Azure Sentinel' and 'Microsoft Sentinel'. Do the logs indicate other providerName values may be used?


    ------------------------------
    Mark Scherfling
    ------------------------------



  • 10.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Fri November 17, 2023 04:04 AM

    Hello Mark, 

    Really appreciate your support as always :) 

    Though I tried the way you mentioned above, still fetching all of the incidents to SOAR. Not sure what is the reason, I am pasting the app.config here and also the JSON response for one of the incidents that I pulled today. If needed, I can share you the logs in debug mode(which I have) but not here, may be in a separate mail(if you provide)

    It would be very helpful if this can be fixed asap. Org wants the Sentinel integration to go live by Next week starting. 

    Also want to know instead of providerName, if we can use Title, so that we can only bring the incidents with Rule based. If Yes, Please let me know if the below can be done for the same. 

    I have treid both below and does not get the right results. 

    new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "properties.providerName": ["Azure Sentinel"] 

    new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "providerName": ["Azure Sentinel"]

    If the below can be used for Title based incident polling

    new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "title": ["Investigation priority score increase involving one user"]  - For below example. 

    Please do share your email if you would like to see the logs. 

    "id": "/subscriptions/67a2e300-52b5-40XXXXXXXXX02cb569/resourceGroups/bnlweXXXXXXXXX-rg/providers/Microsoft.OperationalInsights/workspaces/bnlwXXXXXXXXXproviders/Microsoft.SecurityInsights/Incidents/2bad5559XXXXXXXXXb10-69087223a070",
        "name": "2bad5559-f07f-42b6-8b10-69087223a070",
        "etag": "\"9f0024ac-0000-0d00-0000-6557101f0000\"",
        "type": "Microsoft.SecurityInsights/Incidents",
        "properties": {
            "title": "Investigation priority score increase involving one user",
            "severity": "Medium",
            "status": "New",
            "owner": {
                "objectId": null,
                "email": null,
                "assignedTo": null,
                "userPrincipalName": null
            },
            "labels": [],
            "firstActivityTimeUtc": "2023-11-17T00:13:11.121Z",
            "lastActivityTimeUtc": "2023-11-17T06:48:44.671Z",
            "lastModifiedTimeUtc": "2023-11-17T06:55:18.4466667Z",
            "createdTimeUtc": "2023-11-17T06:55:18.43Z",
            "incidentNumber": 180640,
            "additionalData": {
                "alertsCount": 1,
                "bookmarksCount": 0,
                "commentsCount": 0,
                "alertProductNames": [
                    "Microsoft Cloud App Security"
                ],
                "tactics": [],
                "providerIncidentUrl": "https://security.microsoft.com/incidents/1398763?tid=f66fae02-5d36-495b-bfe0-78a6ff9f8e6e"
            },
            "relatedAnalyticRuleIds": [],
            "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/67a2e300-52b5-4021-a513-dc7f202cb569/resourceGroups/bnlwXXXXXXXxntinel-rg/providers/Microsoft.OperationalInsights/workspaces/bnlwXXXXXXa-01/providers/Microsoft.SecurityInsights/Incidents/XXXXXXXXXX223a070",
            "providerName": "Microsoft 365 Defender",
            "providerIncidentId": "1398763"
        }
    }


    ------------------------------
    Srinivas Joshi
    ------------------------------



  • 11.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Fri November 17, 2023 08:47 AM

    Joshi,

    I'd recommend opening a Support Case so we can review logs and discuss steps in a more structured manner.

    Regards,

    Mark



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 12.  RE: Microsoft Azure Sentinel for IBM SOAR Not working

    Posted Mon November 20, 2023 02:03 AM

    Hello Mark,

    Thanks for the suggestion. 

    TS014772249 - Is raised for the same. 



    ------------------------------
    Srinivas Joshi
    ------------------------------