Tenable Identity Exposure connector for Microsoft Sentinel

Tenable Identity Exposure connector allows Indicators of Exposure, Indicators of Attack and trailflow logs to be ingested into Microsoft Sentinel.The different work books and data parsers allow you to more easily manipulate logs and monitor your Active Directory environment. The analytic templates allow you to automate responses regarding different events, exposures, and attacks.

This is autogenerated content. For changes, contact the solution provider.

Connector attributes

Connector attribute	Description
Kusto function alias	afad_parser
Log Analytics table(s)	Tenable_IE_CL
Data collection rules support	Not currently supported
Supported by	Tenable

Query samples

Get the number of alerts triggered by each IoE

Kusto

afad_parser

| where MessageType == 0

| summarize AlertCount = count() by Codename

Get all IoE alerts with severity superior to the threshold

Kusto

let threshold = 2;
let SeverityTable=datatable(Severity:string,Level:int) [
"low", 1,
"medium", 2,
"high", 3,
"critical", 4
];
afad_parser

| where MessageType == 0

| lookup kind=leftouter SeverityTable on Severity

| where Level >= ['threshold']

Get all IoE alerts for the last 24 hours

Kusto

afad_parser 
| where MessageType == 0 and TimeGenerated > ago(1d)

Get all IoE alerts for the last 7 days

Kusto

afad_parser 
| where MessageType == 0 and TimeGenerated > ago(7d)

Get all IoE alerts for the last 30 days

Kusto

afad_parser 
| where MessageType == 0 and TimeGenerated > ago(30d)

Get all trailflow changes for the last 24 hours

Kusto

afad_parser 
| where MessageType == 1 and TimeGenerated > ago(1d)

Get all trailflow changes for the last 7 days

Kusto

afad_parser 
| where MessageType == 1 and TimeGenerated > ago(7d)

Get the number of alerts triggered by each IoA

Kusto

afad_parser

| where MessageType == 2

| summarize AlertCount = count() by Codename

Get all IoA alerts for the last 30 days

Kusto

afad_parser 
| where MessageType == 2 and TimeGenerated > ago(30d)

Prerequisites

To integrate with Tenable Identity Exposure make sure you have:

• Access to TenableIE Configuration: Permissions to configure syslog alerting engine

Vendor installation instructions

This data connector depends on afad_parser based on a Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution.

1. Configure the Syslog server

   You will first need a linux Syslog server that TenableIE will send logs to. Typically you can run rsyslog on Ubuntu. You can then configure this server as you wish, but it is recommended to be able to output TenableIE logs in a separate file.

   Configure rsyslog to accept logs from your TenableIE IP address.:

   shell

   sudo -i
   
   # Set TenableIE source IP address
   export TENABLE_IE_IP={Enter your IP address}
   
   # Create rsyslog configuration file
   cat > /etc/rsyslog.d/80-tenable.conf << EOF
   \$ModLoad imudp
   \$UDPServerRun 514
   \$ModLoad imtcp
   \$InputTCPServerRun 514
   \$AllowedSender TCP, 127.0.0.1, $TENABLE_IE_IP
   \$AllowedSender UDP, 127.0.0.1, $TENABLE_IE_IP
   \$template MsgTemplate,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %programname%[%procid%]:%msg%\n"
   \$template remote-incoming-logs, "/var/log/%PROGRAMNAME%.log"
   *.* ?remote-incoming-logs;MsgTemplate
   EOF
   
   # Restart rsyslog
   systemctl restart rsyslog
   

2. Install and onboard the Microsoft agent for Linux

   The OMS agent will receive the TenableIE syslog events and publish it in Microsoft Sentinel.

3. Check agent logs on the Syslog server

   shell

   tail -f /var/opt/microsoft/omsagent/log/omsagent.log
   

4. Configure TenableIE to send logs to your Syslog server

   On your TenableIE portal, go to System, Configuration and then Syslog. From there you can create a new Syslog alert toward your Syslog server.

   Once this is done, check that the logs are correctly gathered on your server in a separate file (to do this, you can use the Test the configuration button in the Syslog alert configuration in TenableIE). If you used the Quickstart template, the Syslog server will by default listen on port 514 in UDP and 1514 in TCP, without TLS.

5. Configure the custom logs

Configure the agent to collect the logs.

1. In Microsoft Sentinel, go to Configuration -> Settings -> Workspace settings -> Custom logs.

2. Click Add custom log.

3. Upload a sample TenableIE.log Syslog file from the Linux machine running the Syslog server and click Next

4. Set the record delimiter to New Line if not already the case and click Next.

5. Select Linux and enter the file path to the Syslog file, click + then Next. The default location of the file is /var/log/TenableIE.log if you have a Tenable version <3.1.0, you must also add this linux file location /var/log/AlsidForAD.log.

6. Set the Name to Tenable_IE_CL (Azure automatically adds _CL at the end of the name, there must be only one, make sure the name is not Tenable_IE_CL_CL).

7. Click Next, you will see a resume, then click Create.

8. Enjoy!

You should now be able to receive logs in the Tenable_IE_CL table, logs data can be parse using the afad_parser() function, used by all query samples, workbooks, and analytic templates.

Next steps

For more information, go to the related solution in the Azure Marketplace.