Cyber Risk Aware’s Azure based Real Time Response Orchestration processes is comprised of two main components. The Orchestrator and a supported Network monitoring technology such as a SIEM.
The Orchestrator comes in two flavors, On - Premise and Cloud (Azure). For the purposes of this article, we will be discussing the cloud (Azure) installation.
The Orchestrator is effectively an API that provided integration between your SIEM and Cyber Risk Awares Real Time functionality. The Orchestrator receives messages from your SIEM informing of pre-configured events of interest such as an employee downloading malicious software. The Orchestrator will only require the name of the alert that was triggered (an identifier) and also an identifier for the user that performed the action. The Orchestrator will in turn integrate with you Azure AD, and in using the user identifier as a lookup, will retrieve the information (typically the users email) required by Cyber Risk Aware to respond to that user. Finally the Orchestrator will create and enrich a message to be passed to Cyber Risk Awares Real Time engine informing it of the action that has taken place the offending user.
Supported SIEM / Network Monitoring Application
In order for a Network monitoring application to communicate with the Orchestrator, it must make use of an appropriate web-hook exposed by the Orchestrator. Depending on the chosen technology, the integration with the web-hook will be different.
LogRhythm alarms can be created to be triggered based on specific criteria such as a Domain Account being created on a Removable storage device being detected. When this alarm triggers, the information must be passed the Orchestrator. In order for LogRhythm to make use of the web hook, it makes use of a Feature called a Smart Response. The Smart Response basically allows us to define a PowerShell script that accepts a collection of parameters passed from the alarm instance. The PowerShell script will in turn pass this information to the Orchestrator. We will look at the Smart Response configuration a little further into the document.
Splunk Enterprise Security (ES) is a security information and event management (SIEM) solution. Alarms created in Splunk can be configured to forward data to a Web hook when the alarm has been triggered. The Web hook should be configured to forward information to the Orchestrator. Configuring the Web hook in a Splunk alarm is discussed later in the document.
Currently support for Splunk and LogRhythm is implemented and ready to use. Solutions for other technologies (such as Logpoint, MS Sentinel & DTEX Agents) are also available but may need some customization's from Cyber Risk Aware. These customization's or functionality extensions would typically have a turnaround time of 1-2 weeks and would require collaboration with technical / network team on the Organisations side.
Creation of Application Registration in Azure AD
As mentioned above, the Azure Orchestrator needs to be able to request information about the offending users from Azure AD. It does this to retrieve the identifiers needed to communicate the Real Time Response to the user. In order to allow the Orchestrator to interact with Azure AD via MS Graph API, an application registration must be created and configured grant Read access to users. The application registration can be set up as illustrated below:
After configuring the application registration, the next step is to update your Orchestrator configuration with the Cyber Risk Aware portal.
- Navigate to your Cyber Risk Aware portal.
- Select Real-Time Integrations from the side menu.
- Select Orchestrator Settings.
- Click the button Generate Orchestration Package (This will add a new Orchestrator configuration to the grid.)
- In the grid, select the edit button next to the Orchestrator package that was generated.
In the form that is displayed, provide values for the attributes below:
Name: This is the label you wish to give the Orchestrator. This can be a useful identifier in a multi-orchestrator setup.
Tenant ID: This should be the name or ID of your Azure Tenant.
Application ID: This should be the value provided for your Application ID during the Application Registration in Azure (Above).
Application Secret: This should be the value provided for your Application Secret during the Application Registration in Azure (Above).
Event Grid endpoint: This is a pre-populated field containing the endpoint used by the Orchestrator to forward events to Cyber Risk Aware cloud platform.
Event Grid Shared Access Signature: This is a pre-populated field that is used to authenticate connections to the Event Grid endpoint.
AD Identifier: The value here is defaulted to mail. It should be the Azure AD attribute that houses the users Cyber Risk Aware username.
To save the changes here, click Save.
This concludes the Orchestrator setup.
Next steps would to now begin integration with your chosen SIEM / Network monitoring application. There is a separate document for each applications integration set up.