Articles in this section

See more

How to Integrate SIEM with Azure Sentinel

Ori Bargadda
  • Updated
Follow

Introduction

In this tutorial, you’ll learn how to integrate SIEM with Azure Sentinel using Votiro Solution for Microsoft Sentinel. Votiro Solution for Microsoft Sentinel is a collection of Data Connectors, Parser, Workbook and Analytic Rules that are used together to analyze data.

System prerequisites

Ensure you have the following:

n Linux machine with at least 4 CPU cores and 8 GB RAM
n Python 2.7 or 3 installed on the Linux machine
n Rsyslog: v8/Syslog-ng: 2.1 - 3.22.1
n Syslog RFC 3164/5424
n Download and unpack the file: Votiro-Offline.zip

Procedure

Manual/Offline Deployment

To test the solution before publishing, follow the below steps.

Deploy CEF Data Connector on Forwarder Machine

1. Sign in to the Azure portal.
2. Search for Microsoft Sentinel.

3. Select Microsoft Sentinel from Services.

4. Press + Create or Create Microsoft Sentinel to add Microsoft Sentinel to a Workspace::

5. Press + Create a new workspace:

6. Create a new Resource Group if it does not exist yet. Then create a new machine with the system requirements mentioned above → via Resource Group > Create > select Virtual Machine (Ubuntu 22.06 server is recommended):

7. Select the created workspace, then go to Content Hub > Select Common Event Format (CEF) and install it:

8. Once installed, go to your workspace > Data Connectors > Open Connector Page:

9. Follow the instructions in 1.2 below, Install the CEF collector on the Linux machine:

10. Verify that you have Python 2.7 or Python 3 installed on the Linux machine by running:

python --version or python3 --version

11. Copy the command below:

sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py [WorkspaceID][Workspace Primary Key]

Note: You must have the GNU Wget package installed on the Linux machine.

12. Paste the command into the command line on your log forwarder, and replace [WorkspaceID] and [Workspace Primary Key] with their values.
13. Run the command. This installs the CEF connector and Log Analytics Agent on the forwarder machine. Once done, the connector is now listening to events on TCP port 514.
14. Verify that the port used is indeed opened via the Virtual Machine’s Network settings:

Note: In this case, we used TCP port 514 (default) and Allow=any, but the best practice is to use the TLS protocol with other ports used and restrict to specific IPs pointed to specific NAT gateways. For example, in prod.us:

 

Deploy Parser Function

Follow the instructions to parse ingested data:

1. Copy the function code from the downloaded package file:
/Votiro-Offline/Parser/VotiroEvents.txt
2. On Microsoft Sentinel → Go to your created Workspace -> Logs
3. Paste the content of VotiroEvents.txt in the area as shown below:

4. Then click on Save > Save as function. Enter the Function name as VotiroEvents and click on Save:

5. Try running the query to see the following type of results (adjust the time range according to data ingested):

6. Results can be viewed in Local Time zone by changing the option in the bottom bar:

Deploy the Workbook

1. Copy the contents of the file:
/Votiro-Offline/Workbooks/Votiro Monitoring Dashboard.json
2. On Microsoft Sentinel, go to your WorkSpace > Workbooks > Add Workbook”:
3. On the New Workbook page, click on Edit > Advanced Editor icon:

4. Replace the Gallery template contents with the copied contents, and click on Apply:

5. The Following Workbook must be visible:
After a scroll

Set Alert Queries for Incidents

1. Go to /Votiro-Offline/Analytic Rules. Keep both Votiro File Blocked FromConnector.json and Votiro File Blocked in Email.json files ready.
2. On Microsoft Sentinel > Workspace, select Analytics.
3. Click Import (from the bar at the top of the screen) in the resulting dialog box, navigate to and select the JSON files one by one, and select Open:

4. Make sure that the status of each active rule is enabled:

5. Check for recent alerts or incidents on the Overview page. Incidents are also available on the Microsoft Sentinel > Incidents page.


Select the security efficiency workbook for a better view.

6. Alerts Logic:
n Votiro File Blocked From Connector: If the syslog message includes “blocked” under -Sanitization result- field and “false” under -password protected- field and “null” under -from- field create an alert with the following message: [file name] with hash [file hash] that was sent from connector [connector name] was blocked by Votiro due to Policy [policy name], see more detail in the following link [incident url]
n Votiro File Blocked in Email: If the syslog message includes “blocked” under -Sanitization result- field and “false” under -password protected- field and not “null” under -from- field create an alert with the following message: Attachment [file name] with the hash [file hash] was blocked in an email that was sent from user [from] to the following recipients [Recipients] by Votiro due to Policy [policy name], see more detail in the following link [incident URL]

Related articles

Comments

0 comments

Please sign in to leave a comment.