Interpres Application - Microsoft Sentinel

Type: SIEM/Data Lake
Vendor: Microsoft
This app integrates with Microsoft Sentinel to get Detections, Alerts, and Telemetry
Vendor setup
Login to https://portal.azure.com﻿
Search for App registrations
﻿
Click + New registration
﻿
Enter "Interpres" for the app name. Leave the other defaults (Single-tenant, no Redirect URI). Click "Register".
﻿
Copy the application (client) ID and the Directory (tenant) ID over to the Interpres integration setup page
﻿
Click API permissions then Add a permission
﻿
Click APIs my organization uses then search Log Analytics and select Log Analytics API
﻿
Select Application Permissions then Data.Read and Add permission
﻿
Click Grant admin consent for YOUR_TENANT
﻿
Click Certificates & Secrets then New client secret
﻿
Enter "Interpres" for the description and choose "12 months".
﻿
Copy the client secret "Value" over to the Interpres integration setup.
Go to your Microsoft Sentinel workspace, click Settings then click Workspace settings
﻿
Copy the Subscription ID, Resource Group, and Workspace Name to the Interpres integration setup.
﻿
Click Access control (IAM) then Role assignments and click Add
﻿
Click Role assignment then select Reader and click Next
﻿
Select User, group, or service principal then click Select members
﻿
Choose the app you created in step 4, click Select , then Next, and finally Review + assign
App Configuration
App Parameters:
Tenant ID: Tenant ID
Client ID: Client ID
Client Secret: Client Secret
Subscription ID: Subscription ID
Resource Group Name: Resource Group Name
Workspace Name: Workspace Name
App Validation
Check there is connectivity (green light) in the integration created.
Implemented Actions
Get Available Telemetry: Returns a list of telemetry identifiers with their current status. It reads MS Sentinel tables by querying LogAnalytics using the following query:
Text
search '*' |  where TimeGenerated > ago(6h) | summarize count(), last_available=max(TimeGenerated) by $table, ActionType, Operation, OperationName | sort by count_ desc
search '*' |  where TimeGenerated > ago(6h) | summarize count(), last_available=max(TimeGenerated) by $table, ActionType, Operation, OperationName | sort by count_ desc
﻿
If CommonSecurityLog is found this query will also be excecuted to get Vendor/Product
Text
CommonSecurityLog | where TimeGenerated > ago({AVAILABLE_TELEMETRY_SEARCH_WINDOW_HOURS}h) | summarize count(), last_available=max(TimeGenerated) by DeviceVendor, DeviceProduct
CommonSecurityLog | where TimeGenerated > ago({AVAILABLE_TELEMETRY_SEARCH_WINDOW_HOURS}h) | summarize count(), last_available=max(TimeGenerated) by DeviceVendor, DeviceProduct
﻿
Get Detections: Returns a list of detections (MS Sentinel Rules). When you create detection rules in Sentinel you can map them to MITRE techniques, Interpres will read those mappings when pulling the alerts. See Sentinel docs on how to map techniques to rules: https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#analytics-rule-wizardgeneral-tab﻿
Get Alerts: Gets the latest alerts (MS Sentinel incidents)
﻿
Did this page help you?
Interpres Application - Microsoft Graph
Interpres Application - Nessus Professional