Original Message:
Sent: Fri November 17, 2023 08:47 AM
From: Mark Scherfling
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
Joshi,
I'd recommend opening a Support Case so we can review logs and discuss steps in a more structured manner.
Regards,
Mark
------------------------------
Mark Scherfling
Original Message:
Sent: Fri November 17, 2023 04:03 AM
From: Srinivas Joshi
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
Hello Mark,
Really appreciate your support as always :)
Though I tried the way you mentioned above, still fetching all of the incidents to SOAR. Not sure what is the reason, I am pasting the app.config here and also the JSON response for one of the incidents that I pulled today. If needed, I can share you the logs in debug mode(which I have) but not here, may be in a separate mail(if you provide)
It would be very helpful if this can be fixed asap. Org wants the Sentinel integration to go live by Next week starting.
Also want to know instead of providerName, if we can use Title, so that we can only bring the incidents with Rule based. If Yes, Please let me know if the below can be done for the same.
I have treid both below and does not get the right results.
new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "properties.providerName": ["Azure Sentinel"]
new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "providerName": ["Azure Sentinel"]
If the below can be used for Title based incident polling
new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "title": ["Investigation priority score increase involving one user"] - For below example.
Please do share your email if you would like to see the logs.
"id": "/subscriptions/67a2e300-52b5-40XXXXXXXXX02cb569/resourceGroups/bnlweXXXXXXXXX-rg/providers/Microsoft.OperationalInsights/workspaces/bnlwXXXXXXXXXproviders/Microsoft.SecurityInsights/Incidents/2bad5559XXXXXXXXXb10-69087223a070", "name": "2bad5559-f07f-42b6-8b10-69087223a070", "etag": "\"9f0024ac-0000-0d00-0000-6557101f0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "Investigation priority score increase involving one user", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2023-11-17T00:13:11.121Z", "lastActivityTimeUtc": "2023-11-17T06:48:44.671Z", "lastModifiedTimeUtc": "2023-11-17T06:55:18.4466667Z", "createdTimeUtc": "2023-11-17T06:55:18.43Z", "incidentNumber": 180640, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Microsoft Cloud App Security" ], "tactics": [], "providerIncidentUrl": "https://security.microsoft.com/incidents/1398763?tid=f66fae02-5d36-495b-bfe0-78a6ff9f8e6e" }, "relatedAnalyticRuleIds": [], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/67a2e300-52b5-4021-a513-dc7f202cb569/resourceGroups/bnlwXXXXXXXxntinel-rg/providers/Microsoft.OperationalInsights/workspaces/bnlwXXXXXXa-01/providers/Microsoft.SecurityInsights/Incidents/XXXXXXXXXX223a070", "providerName": "Microsoft 365 Defender", "providerIncidentId": "1398763" }}
------------------------------
Srinivas Joshi
Original Message:
Sent: Thu November 16, 2023 08:20 AM
From: Mark Scherfling
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
I checked the code and the correct field specification is 'providerName', not 'properties.providerName'. I tested this filter set against your sample and it worked correctly:
"status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "providerName": ["Microsoft 365 Defender"]
I think the only item in question is what value is correct for providerName? It seems you tested 'Azure Sentinel' and 'Microsoft Sentinel'. Do the logs indicate other providerName values may be used?
------------------------------
Mark Scherfling
Original Message:
Sent: Wed November 15, 2023 09:49 PM
From: Srinivas Joshi
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
"id": "/subscriptions/67a2e300-52b5-4xxxxxxxxx021-a513-/resourceGroups/bnlxxxxxxxxl-rg/providers/Microsoft.OperationalInsights/workspaces/bnlwe-fsxxxxxxxxproviders/Microsoft.SecurityInsights/Incidents/cd3e3e26-321c-4dd8-a04a-3cc24fc0dbe6",
"name": "cd3e3e26-321c-4xxxxxxxcc24fc0dbe6",
"etag": "\"8b00807e-000xxxxxxx000-6554548b0000\"",
"type": "Microsoft.SecurityInsights/Incidents",
"properties": {
"title": "DLP policy (ubject ([External] - report)",
"severity": "Low",
"status": "New",
"owner": {
"objectId": null,
"email": null,
"assignedTo": null,
"userPrincipalName": null
},
"labels": [],
"firstActivityTimeUtc": "2023-11-15T05:06:00Z",
"lastActivityTimeUtc": "2023-11-15T05:07:00Z",
"lastModifiedTimeUtc": "2023-11-15T05:12:22.12Z",
"createdTimeUtc": "2023-11-15T05:12:22.08Z",
"incidentNumber": 176362,
"additionalData": {
"alertsCount": 1,
"bookmarksCount": 0,
"commentsCount": 0,
"alertProductNames": [
"Microsoft Data Loss Prevention"
],
"tactics": [
"Exfiltration"
],
"providerIncidentUrl": "https://security.microsoft.com/incidents/1395328?tid=f66xxxxxxxx8a6ff9f8e6e"
},
"relatedAnalyticRuleIds": [],
"incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/67xxxxxxxxx-dc7f202cb569/resourceGroups/bnlxxxxxxxtinel-rg/providers/Microsoft.OperationalInsights/workspaces/bnlxxxxxxxxxxx-01/providers/Microsoft.SecurityInsights/Incidents/cd3e3e26-321c-4dd8-a04a-3cc24fc0dbe6",
"providerName": "Microsoft 365 Defender",
"providerIncidentId": "1395328"
}
}
------------------------------
Srinivas Joshi
Original Message:
Sent: Tue November 14, 2023 08:50 AM
From: Mark Scherfling
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
Srinivas,
Your syntax looks correct, I would add in "Azure Sentinel" to list: "providerName": ["Microsoft Sentinel", "Azure Sentinel"].
I'm seeing some notes that the syntax for that field may be: "properties/providerName". Sorry for not being specific as I don't have an environment spun up at the moment.
Regards,
------------------------------
Mark Scherfling
Original Message:
Sent: Tue November 14, 2023 08:21 AM
From: Srinivas Joshi
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
Hello Mark,
I used the below, but seems like it pulled everything was in the queue. Let me try adding only one at a time and see if it works.
Correct me if I am wrong, in the below filter, we should get the incidents only with Status, Severity and Provider Name.
new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"], "providerName": ["Microsoft Sentinel"]
------------------------------
Srinivas Joshi
Original Message:
Sent: Tue November 14, 2023 08:06 AM
From: Mark Scherfling
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
Hi Srinivas,
Try a filter with the name "providerName":
new_incident_filters: "providerName": ["Microsoft Sentinel", "Azure Sentinel"]
That field is part of an incident, but I can't tell from the API docs if it's a filter. I also see a different reference to "Microsoft Sentinel", "Azure Sentinel", in the example response. So, try both.
https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2023-02-01&tabs=HTTP
------------------------------
Mark Scherfling
Original Message:
Sent: Tue November 14, 2023 12:56 AM
From: Srinivas Joshi
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
Hello Mark,
Thanks for the inputs, it works just fine now.
Wanted to understand, is it possible to pull only the Incidents based on the product name, Like if the Sentinel incident is having product name as "Microsoft Sentinel" Only these incidents has to be pushed to SOAR.
As we have new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium","Low"]
------------------------------
Srinivas Joshi
Original Message:
Sent: Thu November 09, 2023 08:45 AM
From: Mark Scherfling
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
Hi Srinivas,
The stars '***' you see in the logs are part of obfuscation logic we have to hide sensitive IDs. We are updating this logic in a newer version of resilient-circuits as it hides too much information.
The section of the template you show looks good, but try a couple of things:
- change `|replace('"', '\"')` to `| safe`. This logic will do the same escaping of double quotes
- make sure the last key/value pair does not have a trailing comma. Some json parsers will return an error when that is encountered
Hope this helps.
------------------------------
Mark Scherfling
Original Message:
Sent: Wed November 08, 2023 04:03 AM
From: Srinivas Joshi
Subject: Microsoft Azure Sentinel for IBM SOAR Not working
Hello There,
Was integrating the App, am able to get the Sentinel incidents to SOAR using the default incident_create_template.jinja. But the problem is, unable to get the most of the fields using the template. Feel like something is wrong and need your help to understand the problem.
The logs shows there is an issue with the JSON, please see below.
Invalid JSON result: { "name": "Sentinel Incident 164292 - NRT User added to Azure Active Directory Privileged Groups", "discovered_date": 1699428538000, "start_date": 1699428166000 , "description": { "format": "text", "content": "This will alert when a user is added to any of the Privileged Groups. For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities. For Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles" }, "plan_status": "A", "severity_code": "Medium", "properties": { "sentinel_incident_number": "***", "sentinel_incident_id": "***", "sentinel_incident_status": "***", "sentinel_incident_url": "***'blank' href='https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/67a2e300-52b5-4021-a513-dc7f202cb569/resourceGroups/bnlwe-p-fs-sentinel-rg/providers/Microsoft.OperationalInsights/workspaces/bnlwe-fs02-p-la-01/providers/Microsoft.SecurityInsights/Incidents/117187b6-899d-495d-ac43-1535aec591de'>Sentinel Incident</a>", "sentinel_incident_classification": "***"sentinel_incident_classification_reason": "***"sentinel_incident_classification_comment": "***"sentinel_incident_assigned_to": "***", "sentinel_incident_labels": "***"sentinel_incident_tactics": "***", "sentinel_profile": "unilever" "affected_deviceapplicationwebsite" : "other", "asset_type" : "Unknown", "business_type" : "Internal", "category" : "Others", "channel" : "Reporting Device", "mco" : "Global", "mitre_tactics" : "NA", "priority" : "P3", "reporting_device" : "Other", "tag" : "NA" } }
Most of the fields are coming as blank or ***** which I am feeling as a problem. If I remove the below section from the template then it works but it is of no use to the integration.
"properties": {
"sentinel_incident_number": "{{ name|e }}",
"sentinel_incident_id": "{{ properties.incidentNumber }}",
"sentinel_incident_status": "{{ properties.status }}",
"sentinel_incident_url": "<a target='blank' href='{{ properties.incidentUrl
}}'>Sentinel Incident</a>",
"sentinel_incident_classification": "{{ properties.classification }}",
"sentinel_incident_classification_reason": "{{ properties.classificationReason }}",
"sentinel_incident_classification_comment": "{{
properties.classificationComment|replace('"', '\"') }}",
"sentinel_incident_assigned_to": "{{ properties.owner.assignedTo }}",
"sentinel_incident_labels": "{{ properties.labels|join(' ') }}",
"sentinel_incident_tactics": "{{ properties.additionalData.tactics|join(' ') }}",
------------------------------
S Joshi
SOAR Admin
------------------------------