Derdack SIGNL4 connector for Microsoft Sentinel
When critical systems fail or security incidents happen, SIGNL4 bridges the ‘last mile’ to your staff, engineers, IT admins and workers in the field. It adds real-time mobile alerting to your services, systems, and processes in no time. SIGNL4 notifies through persistent mobile push, SMS text and voice calls with acknowledgement, tracking and escalation. Integrated duty and shift scheduling ensure the right people are alerted at the right time.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | SIGNL4_CL |
| Data collection rules support | Not currently supported |
| Supported by | Derdack |
Query samples
Get SIGNL4 alert and status information.
SecurityIncident
| where Labels contains "SIGNL4"
Vendor installation instructions
Note
This data connector is mainly configured on the SIGNL4 side. You can find a description video here: Integrate SIGNL4 with Microsoft Sentinel.
SIGNL4 Connector: The SIGNL4 connector for Microsoft Sentinel, Azure Security Center and other Azure Graph Security API providers provides seamless 2-way integration with your Azure Security solutions. Once added to your SIGNL4 team, the connector will read security alerts from Azure Graph Security API and fully automatically and trigger alert notifications to your team members on duty. It will also synchronize the alert status from SIGNL4 to Graph Security API, so that if alerts are acknowledged or closed, this status is also updated on the according Azure Graph Security API alert or the corresponding security provider. As mentioned, the connector mainly uses Azure Graph Security API, but for some security providers, such as Microsoft Sentinel, it also uses dedicated REST APIs from according Azure solutions.
Microsoft Sentinel Features
Microsoft Sentinel is a cloud native SIEM solution from Microsoft and a security alert provider in Azure Graph Security API. However, the level of alert details available with the Graph Security API is limited for Microsoft Sentinel. The connector can therefore augment alerts with further details (insights rule search results), from the underlying Microsoft Sentinel Log Analytics workspace. To be able to do that, the connector communicates with Azure Log Analytics REST API and needs according permissions (see below). Furthermore, the app can also update the status of Microsoft Sentinel incidents, when all related security alerts are e.g. in progress or resolved. In order to be able to do that, the connector needs to be a member of the 'Microsoft Sentinel Contributors' group in your Azure Subscription. Automated deployment in Azure The credentials required to access the beforementioned APIs, are generated by a small PowerShell script that you can download below. The script performs the following tasks for you:
- Logs you on to your Azure Subscription (please login with an administrator account)
- Creates a new enterprise application for this connector in your Microsoft Entra ID, also referred to as service principal
- Creates a new role in your Azure IAM that grants read/query permission to only Azure Log Analytics workspaces.
- Joins the enterprise application to that user role
- Joins the enterprise application to the 'Microsoft Sentinel Contributors' role
- Outputs some data that you need to configure app (see below)
Deployment procedure
- Download the PowerShell deployment script from here.
- Review the script and the roles and permission scopes it deploys for the new app registration. If you don't want to use the connector with Microsoft Sentinel, you could remove all role creation and role assignment code and only use it to create the app registration (SPN) in your Microsoft Entra ID.
- Run the script. At the end it outputs information that you need to enter in the connector app configuration.
- In Microsoft Entra ID, click on 'App Registrations'. Find the app with the name 'SIGNL4AzureSecurity' and open its details
- On the left menu blade click 'API Permissions'. Then click 'Add a permission'.
- On the blade that loads, under 'Microsoft APIs' click on the 'Microsoft Graph' tile, then click 'App permission'.
- In the table that is displayed expand 'SecurityEvents' and check 'SecurityEvents.Read.All' and 'SecurityEvents.ReadWrite.All'.
- Click 'Add permissions'.
Configuring the SIGNL4 connector app
Finally, enter the IDs, that the script has outputted in the connector configuration:
- Azure Tenant ID
- Azure Subscription ID
- Client ID (of the enterprise application)
- Client Secret (of the enterprise application) Once the app is enabled, it will start reading your Azure Graph Security API alerts.
NOTE: It will initially only read the alerts that have occurred within the last 24 hours.
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for