Edit

Share via

NC Protect connector for Microsoft Sentinel

  • Article

NC Protect Data Connector (archtis.com) provides the capability to ingest user activity logs and events into Microsoft Sentinel. The connector provides visibility into NC Protect user activity logs and events in Microsoft Sentinel to improve monitoring and investigation capabilities

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute Description
Log Analytics table(s) NCProtectUAL_CL
Data collection rules support Not currently supported
Supported by archTIS

Query samples

Get last 7 days records


NCProtectUAL_CL

| where TimeGenerated > ago(7d)

| order by TimeGenerated desc

Login failed consecutively for more than 3 times in an hour by user


NCProtectUAL_CL

| where TimeGenerated > ago(1h) and Type_s == 'LoginFailure'

| summarize FailedRequestCount = count() by bin(TimeGenerated, 1h), UserDisplayName_s, UserEmail_s, UserLoginName_s, Type_s, JSONExtra_s

| where  FailedRequestCount > 3

Download failed consecutively for more than 3 times in an hour by user


NCProtectUAL_CL

| where TimeGenerated > ago(1h) and Type_s == 'Open' and Status_s == 'Fail'

| summarize FailedRequestCount = count() by bin(TimeGenerated, 1h), UserDisplayName_s, UserEmail_s, UserLoginName_s, Type_s, JSONExtra_s, DocumentUrl_s

| where  FailedRequestCount > 3

Get logs for rule created or modified or deleted records in last 7 days


NCProtectUAL_CL

| where TimeGenerated > ago(7d) and (Type_s == 'Create' or Type_s == 'Modify' or Type_s == 'Delete') and isnotempty(RuleName_s)

| order by TimeGenerated desc

Prerequisites

To integrate with NC Protect make sure you have:

  • NC Protect: You must have a running instance of NC Protect for O365. Please contact us.

Vendor installation instructions

  1. Install NC Protect into your Azure Tenancy
  2. Log into the NC Protect Administration site
  3. From the left hand navigation menu, select General -> User Activity Monitoring
  4. Tick the checkbox to Enable SIEM and click the Configure button
  5. Select Microsoft Sentinel as the Application and complete the configuration using the information below
  6. Click Save to activate the connection

Next steps

For more information, go to the related solution in the Azure Marketplace.