Microsoft Azure Security Center
The JSA DSM for Microsoft Security Center collects JSON events from a Microsoft Azure Security Center by using the Microsoft Graph Security API protocol.
To integrate Microsoft Azure Active Directory with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:
Microsoft Azure Security Center DSM RPM
Microsoft Graph Security API Protocol DSM
Configure Microsoft Azure Security Center to send events to JSA.
Note:JSA supports events only from the Microsoft Azure Security Center provider. Events sent to JSA must have "provider:ASC" or "provider":"Azure Security Center" in the payload.
Add a Microsoft Azure Security Center log source on the JSA Console.
Microsoft Azure Security Center DSM Specifications
When you configure the Microsoft Azure Security Center, understanding the specifications for the Microsoft Azure Security Center DSM can help ensure a successful integration. For example, knowing what event format is supported for Microsoft Azure Security Center before you begin can help reduce frustration during the configuration process.
The following table describes the specifications for the Microsoft Azure Security Center DSM.
Specification |
Value |
---|---|
Manufacturer |
Microsoft |
DSM name |
Microsoft Azure Security Center |
RPM file name |
DSM-MicrosoftAzureSecurity Center-JSA-version-Build_number.noarch.rpm |
Protocol |
Microsoft Graph Security API |
Event format |
JSON |
Recorded event types |
Security alert |
Automatically discovered? |
No |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
Microsoft Graph Security API Protocol Log Source Parameters for Microsoft Azure Security Center
Add a Microsoft Azure Security Center log source on the JSA Console by using the Microsoft Graph Security API protocol.
The following table describes the parameters that require specific values to collect Microsoft Graph Security API events from Microsoft Azure Security Center:
Parameter |
Value |
---|---|
Log Source type |
Microsoft Azure Security Center |
Protocol Configuration |
Microsoft Graph Security API |
Log Source Identifier |
A unique identifier for the log source. The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server. If you configured multiple Microsoft Azure Security Center log sources, you might want to identify the first log source as MASC-1 the second log source as MASC-2, and the third log source as MASC-3. |
Tenant ID |
To find the Tenant ID parameter value, log in to Microsoft Azure Security Center, and then select Azure Active Directory > Overview or select Azure Active Directory > App registration > Microsoft Graph Security App > Overview. |
Client ID |
To find the Client ID parameter value, log in to Microsoft Azure Security Center, and then select Azure Active Directory > App registration > Microsoft Graph Security App > Overview. |
Client Secret |
To find the Client Secret parameter value, log in to Microsoft Azure Security Center, and then select Azure Active Directory > App registration > Microsoft Graph Security App > Certificates and secrets > Client secrets. If there is no client secret, you can create one there. |
Microsoft Azure Security Center Sample Event Message
Use these sample event messages as a way of verifying a successful integration with JSA.
Due to formatting, paste the message formats into a text editor and then remove any carriage return or line feed characters.
Mirosoft Azure Security Center sample message when you use the Microsoft Graph Security API protocol
{ "id": "1111d111-fa11-111a-11b1-c1e11c111a11", "azureTenantId": "00000001-0001-0001-0001-000000000001", "azureSubscriptionId": "", "riskScore": null, "tags": [], "activityGroupName": null, "assignedTo": "", "category": "Malicious_IP", "closedDateTime": null, "comments": [], "confidence": 0, "createdDateTime": "2020-01-11T14:36:57.2738949Z", "description": "Network traffic analysis indicates that your devices communicated with what might be a Command and Control center for a malware of type Dridex. Dridex is a banking trojan family that steals credentials of online banking websites. Dridex is typically distributed via phishing emails with Microsoft Word and Excel document attachments. These Office documents contain malicious macro code that downloads and installs Dridex on the affected system.", "detectionIds": [], "eventDateTime": "2020-01-09T11:02:01Z", "feedback": null, "lastModifiedDateTime": "2020-01-11T14:37:05.1157187Z", "recommendedActions": [ "1. Escalate the alert to your security administrator.", "2. Add the source IP address to your local FW block list for 24 hours. For more information, see Plan virtual networks (https://sub.domain.test/en-us/documentation/articles/virtual-networksnsg/).", "3. Make sure your devices are completely updated and have updated antimalware installed.", "4. Run a full anti-virus scan and verify that the threat was removed.", "5. Install and run Microsoft’s Malicious Software Removal Tool (https:// www.domain.test/en-us/security/pc-security/malware-removal.aspx).", "6. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run when you sign in. For more information, see Autoruns for Windows (https:// technet.domain.test/en-us/sysinternals/bb963902.aspx).", "7. Run Process Explorer and try to identify any unknown processes that are running. For more information, see Process Explorer (https://technet.domain.test/en-us/sysinternals/bb896653.aspx)." ], "severity": "high", "sourceMaterials": [], "status": "newAlert", "title": "Network communication with a malicious IP", "vendorInformation": { "provider": "Azure Security Center", "providerVersion": "3.0", "subProvider": null, "vendor": "Microsoft" }, "cloudAppStates": [], "fileStates": [], "hostStates": [ { "fqdn": "abc-TestName.AAA111.ondomain.test", "isAzureAdJoined": null, "isAzureAdRegistered": null, "isHybridAzureDomainJoined": false, "netBiosName": "abc-TestName", "os": "", "privateIpAddress": null, "publicIpAddress": "172.16.37.125", "riskScore": "0" } ], "historyStates": [], "malwareStates": [ { "category": "Trojan", "family": "Dridex", "name": "", "severity": "", "wasRunning": true } ], "networkConnections": [], "processes": [], "registryKeyStates": [], "triggers": [], "userStates": [ { "aadUserId": "", "accountName": "TestName", "domainName": "AAA111.ondomain.test", "emailRole": "unknown", "isVpn": null, "logonDateTime": null, "logonId": "0", "logonIp": null, "logonLocation": null, "logonType": null, "onPremisesSecurityIdentifier": "", "riskScore": "0", "userAccountType": null, "userPrincipalName": "TestName@AAA111.ondomain.test" } ], "vulnerabilityStates": []}
JSA field name |
Highlighted payload field name |
---|---|
Event Categtory |
|
logsource time |
|
Username |
|
Source IP |
|