Integration Steps - Azure
Creating the app and collecting the Client ID, Tenant ID, Client Secret and Workspace ID
Register an Application in Azure Portal by clicking on App Registrations --> New Registration
Name your app according to your preference and click on Register by selecting the settings as shown below
Now go to the Application page and gather Application Credentials: Application (Client) ID and Directory (Tenant) ID. Store them in a place where you can refer them later.
After copying the Client ID and Tenant ID click on Add a certificate or secret
Once you are redirected to the page as shown below
Click on Client Secret Tab
Then Click on New Client Secret
In The Slide-in Modal add a secret Name
Set the expiry to 24 Months (Or as per your organization policies)
Click on Save
Remember to update the secret value in the Right-Hand portal when it may come near expiry.
Capture the secret value and store it in a place where you can refer it later
Now in the Azure portal search bar search for "Sentinel"
Click on the sentinel instance from where you want to ingest the logs
In the sentinel Page follow the steps as indicated
Go to Configuration
Click on Settings
Click on Workspace settings
In the workspace settings page copy the Workspace ID
Assigning the role to the Created App
Go To Azure portal --> Subscriptions
Select the Azure Subscription which has MS sentinel instance from which you want to get the logs into Right-hand HRM
Click on Access Control(IAM) and then add a role assignment
Search for the role "Microsoft Sentinel Contributor" and select the role by clicking it then click on the Members Tab
In the members tab
Click on "Select Members"
In the right-fly-in Modal Search for the App created for MS sentinel
Click on the App
Click on Select at the bottom of the modal
Now click on "Review and Assign"
Integrations Steps - Right-hand Cyberready Portal
Go to Human Risk Management --> Settings
Click on MS sentinel Configure button
Add the following details in the respective fields
Client ID
Client Secret
Workspace ID
Tenant ID
Click on Save and Authorize
The completion of above steps will do the integration and data can be expected to flow into RH HRM. Now you can go to the detection rules and check the ones which are of interest to you and enable them for nudges or targeting based on your preference
The data takes time to flow from the security tools to MS Sentinel and eventually to Right-hand Portal due to the inherent delays in those products. There is a possibility to delay of up to an hour for alerts to reflect in Human Risk Management portal.
Events Supported by MS Sentinel Integration
MS Defender for Office 365
Employee Clicked a potentially malicious URL (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: A potentially malicious URL click was detected
Employee Clicked a potentially malicious URL and overrode the safelinks warning (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: A user clicked through to a potentially malicious URL
An email with a malicious file was directed to the employee (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Email messages containing malicious file removed after delivery
A malicious email campaign was directed at the workforce (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Email messages from a campaign removed after delivery
Scam, BEC, Spearphishing attack directed at the employee (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Email messages removed after delivery
Employee reported a email as a Phish or Malware (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Email reported by user as malware or phish
Account Compromise: Employee sent bulk outbound emails (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Email sending limit exceeded
Account Compromise: Employee used MS forms to phish others (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Form blocked due to potential phishing attempt
A Malicious attack directed at employees via MS forms (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Form flagged and confirmed as phishing
Campaign with emails containing malware directed at employees (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Malware campaign detected after delivery
OR
title: Malware campaign detected and blocked
Account Compromise: Potential nation-state attack directed at employee (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Potential nation-state activity
Account Compromise: Suspicious email forwarding rules create by employees (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Suspicious email forwarding activity
Account Compromise: Suspicious emails forwarded by employee (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Suspicious email sending patterns detected
Account Compromise: Employee restricted from sending emails due to suspicious activity (O365)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: User restricted from sending email
MS Defender for CloudApps
Malware detected in employee’s cloud storage (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Malware detection
Ransomware activity detected in relation to employee (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Ransomware activity
Employee account might be compromised due to a CNC, password spray attack (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Activity from suspicious IP addresses
Employee might be accessing their system via a proxy (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Activity from anonymous IP addresses
Suspicious email forwarding rules were created in employee’s email account (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Suspicious inbox forwarding
Suspicious email manipulation rules were created in employee’s email account (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Suspicious inbox manipulation rules
Suspicious downloads from Connected apps used by employee (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Suspicious OAuth app file download activities
Unusual multiple file download activities detected from an employee (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Unusual multiple file download activities
Unusual file share activities detected from an employee (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Unusual file share activities
Account Compromise: Unusual file deletions done by employee (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Unusual file deletion activities
Account Compromise: Unusual impersonation activities detected in relation to an employee (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Unusual impersonated activities
Account Compromise: Unusual Power BI report sharing done by an employee (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Unusual Power BI report sharing activities
Account Compromise: Unusual multiple VM creation activities (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Unusual multiple VM creation activities
Account Compromise: Unusual multiple storage deletion activities (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Unusual multiple storage deletion activities
Account Compromise: Unusual region for cloud resource (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: User restricted from sending email
Account Compromise: Suspicious file access detected (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Unusual file access
Brute-force attack detected in relation to an employee (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Multiple failed login attempts
Employee potentially shared data to or with unsanctioned apps (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Data exfiltration to unsanctioned apps
Employee shared a file externally that has a sensitive file extension (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Sensitive file extension
Unused files made publicly available by an employee (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Stale externally shared files
Employee shared source code to an external domain (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Externally shared source code
Access to a S3 bucket made public (CloudApps)
This event is considered by Right-Hand when following conditions are met in the received alerts
title: Publicly accessible S3 buckets (AWS)