Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Microsoft Azure Security Center

 

The JSA DSM for Microsoft Security Center collects JSON events from a Microsoft Azure Security Center by using the Microsoft Graph Security API protocol.

To integrate Microsoft Azure Active Directory with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:
    • Microsoft Azure Security Center DSM RPM

    • Microsoft Graph Security API Protocol DSM

  2. Configure Microsoft Azure Security Center to send events to JSA.
  3. Add a Microsoft Azure Security Center log source on the JSA Console.

Microsoft Azure Security Center DSM Specifications

When you configure the Microsoft Azure Security Center, understanding the specifications for the Microsoft Azure Security Center DSM can help ensure a successful integration. For example, knowing what event format is supported for Microsoft Azure Security Center before you begin can help reduce frustration during the configuration process.

The following table describes the specifications for the Microsoft Azure Security Center DSM.

Table 1: Microsoft Azure Security Center DSM Specifications

Specification

Value

Manufacturer

Microsoft

DSM name

Microsoft Azure Security Center

RPM file name

DSM-MicrosoftAzureSecurity Center-

JSA-version-Build_number.noarch.rpm

Protocol

Microsoft Graph Security API

Event format

JSON

Recorded event types

Security alert

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

Security alerts - a reference guide

Microsoft Graph Security API Protocol Log Source Parameters for Microsoft Azure Security Center

Add a Microsoft Azure Security Center log source on the JSA Console by using the Microsoft Graph Security API protocol.

The following table describes the parameters that require specific values to collect Microsoft Graph Security API events from Microsoft Azure Security Center:

Table 2: Microsoft Graph Security API log source parameters for the Microsoft Azure Security Center DSM

Parameter

Value

Log Source type

Microsoft Azure Security Center

Protocol Configuration

Microsoft Graph Security API

Log Source Identifier

A unique identifier for the log source.

The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server. If you configured multiple Microsoft Azure Security Center log sources, you might want to identify the first log source as MASC-1 the second log source as MASC-2, and the third log source as MASC-3.

Tenant ID

To find the Tenant ID parameter value, log in to Microsoft Azure Security Center, and then select Azure Active Directory > Overview or select Azure Active Directory > App registration > Microsoft Graph Security App > Overview.

Client ID

To find the Client ID parameter value, log in to Microsoft Azure Security Center, and then select Azure Active Directory > App registration > Microsoft Graph Security App > Overview.

Client Secret

To find the Client Secret parameter value, log in to Microsoft Azure Security Center, and then select Azure Active Directory > App registration > Microsoft Graph Security App > Certificates and secrets > Client secrets. If there is no client secret, you can create one there.

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

Note

Due to formatting, paste the message formats into a text editor and then remove any carriage return or line feed characters.

Mirosoft Azure Security Center sample message when you use the Microsoft Graph Security API protocol

{ "id": "1111d111-fa11-111a-11b1-c1e11c111a11", "azureTenantId": "00000001-0001-0001-0001-0000 00000001", "azureSubscriptionId": "", "riskScore": null, "tags": [], "activityGroupName": null, "assigned To": "", "category": "Malicious_IP" , "closedDateTime": null, "comments": [], "confide nce": 0, "createdDateTime": "2020-01-11T14:36:57.2738949Z", "description": "Network traffic analysis indi cates that your devices communicated with what might be a Command and Control center for a malware of typ e Dridex. Dridex is a banking trojan family that steals credentials of online banking websites. Dridex i s typically distributed via phishing emails with Microsoft Word and Excel document attachments. These Office documents contain malicious macro code that downloads and installs Dridex on the affected system." , "detectionIds": [], "eventDateTime": "2020-01-09T11:02:01Z" , "feedback": null, "l astModifiedDateTime": "2020-01-11T14:37:05.1157187Z", "recommendedActions": [ "1. Escalate the alert to your security administrator.", "2. Add the source IP address to your local FW block list for 24 hours. For more information, see Plan virtual networks (https://sub.domain.test/en-us/documentation/ articles/v irtual-networks-nsg/).", "3. Make sure your devices are completely updated and have updated antimalware installed.", "4. Run a full anti-virus scan and verify that the threat was removed.", "5. Install and r un Microsoft’s Malicious Software Removal Tool (https://www.domain.test/en-us/security/pcsecurity/ ma lware-removal.aspx).", "6. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run when you sign in. For more information, see Autoruns for Windows (https://t echnet.domain.test/en-us/sysinternals/bb963902.aspx).", "7. Run Process Explorer and try to identify a ny unknown processes that are running. For more information, see Process Explorer (https:// technet.dom ain.test/en-us/sysinternals/bb896653.aspx)." ], "severity": "high", "sourceMaterials": [], "status": " newAlert", "title": "Network communication with a malicious IP", "vendorInformation": { "provider": "A zure Security Center", "providerVersion": "3.0", "subProvider": null, "vendor": "Microsoft" }, "cloudA ppStates": [], "fileStates": [], "hostStates": [ { "fqdn": "abc-TestName.AAA111.ondomain.test", "isAzu reAdJoined": null, "isAzureAdRegistered": null, "isHybridAzureDomainJoined": false, "netBiosName": "ab c-TestName", "os": "", "privateIpAddress": null, "publicIpAddress": "172.16.37.125" , "riskScore": "0" } ], "historyStates": [], "malwareStates": [ { "category": "Trojan", "family": "Drid ex", "name": "", "severity": "", "wasRunning": true } ], "networkConnections": [], "processes": [], "re gistryKeyStates": [], "triggers": [], "userStates": [ { "aadUserId": "" , "accountName": "TestName" , "domainName": "AAA111.ondomain.test", "emailRole": "u nknown", "isVpn": null, "logonDateTime": null, "logonId": "0", "logonIp": null, "logonLocation": null , "logonType": null, "onPremisesSecurityIdentifier": "", "riskScore": "0", "userAccountType": null, " userPrincipalName": "TestName@AAA111.ondomain.test" } ], "vulnerabilityStates": []}

Table 3: Highlighted fields

JSA field name

Highlighted payload field name

Event Categtory

category

logsource time

eventDateTime

Username

accountName

Source IP

publicIpAddress