Overview
The Microsoft Azure Security Center (ASC) plugin adds the ability to list alerts, get an alert’s details, and update an alert’s status.
Functionality
The Security Flow Azure Security Center plugin provides the ability to
- retrieve filtered alerts periodically or when manually triggered
- retrieve all information for a specific alert
- update the status for a specific alert
Instance Configuration Parameters
Name for the Azure Security Center instance.
A system-wide unique identifier for this plugin instance used to locate the service.
The authentication mechanism to use for accessing the Azure Security Center. Currently, Azure AD v1.0 Authorization Token using Secret
is the only supported mechanism.
The Azure AD Tenant (Directory) ID hosting the application.
The Application ID (service principle) used with the Azure AD v1.0 Authorization Token using Secret authentication mechanism. Within Microsoft Azure, the application must be added to the Subscription with a role capable of performing those actions, such as Owner.
The client secret of the application used with the Azure AD v1.0 Authorization Token using Secret authentication mechanism.
Flow Nodes
This node provides access to retrieve alerts and update the status of alerts using the Azure Security Center (ASC) REST API.
To be able to perform the ASC REST API calls, an application (service principle) within Azure AD must be delegated the user_impersonation
scope from within the Azure Service Management. Within the Microsoft Azure Portal, the application must be added to the Subscription with a role capable of performing those actions, such as Owner. For more details, read through the Register an application with Azure AD and create a service principal page.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Configuration option determining the type of operation to perform:
- Get Alert: Retrieves the details of an alert using the supplied
Alert Name
, which is a unique ID number. - Update Alert Status: Updates the status of an alert specified by
Alert Name
. Possible alert status values are:Active
,Dismissed
, orResolved
.
Successful results for an action are placed in msg.payload.asc.[uniqueId].response
.
Azure Subscription ID, in UUID format, obtained from the Microsoft Azure portal (https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).
If Standard Subscription ID Location
is selected, the subscription ID is obtained from the response object within subscriptionId
. The Standard Subscription ID Location
is set by the NL-ASC-Alert-Query node.
The resource group for the alert. This may be left as Not Specified
to be ignored.
The location for the alert. This may be left as Not Specified
to be ignored when performing an action of Get Alert
. If left as Not Specified
when performing an action of Update Alert Status
, this will be set to centralus
.
The identifier for the alert being retrieved or whose status is being updated. If Standard Alert Location
is selected, the alert name is obtained from the response object within alert.name
. The Standard Alert Location
is set by the NL-ASC-Alert-Query node.
This node provides Azure Security Center (ASC) capabilities for polling Active
security alerts. Retrieves the list of all alerts from the Azure Security Center (ASC) based on the specified Subscription ID(s), Resource Group, and Location. At the time of this writing, the supported Location values are centralus
and westeurope
. Because the API does not support filtering of alerts, all alerts are returned, regardless of Severity or current status. The filtering of alerts based on a status of Active
and the selected Severity
values is performed after pulling in the alerts.
To be able to perform the ASC REST API calls, an application (service principle) within Azure AD must be delegated the user_impersonation
scope from within the Azure Service Management. Within the Microsoft Azure Portal, the application must be added to the Subscription with a role capable of performing those actions, such as Owner. For more details, read through the Register an application with Azure AD and create a service principal page.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Use Repeat
to define how often a query for alerts is triggered. The left inject button on this node is used to immediately trigger the retrieval of alerts. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.
The Subscription ID(s) may be a single subscription ID or a comma separated list of subscription IDs.
Azure Subscription ID, in UUID format, obtained from the Microsoft Azure portal (https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).
The resource group for the pulled alerts. Leave blank to ignore this field.
The ASC location for the pulled alerts. Leave blank to ignore this field.
The set of selected severity values to filter alerts by.
Active
status.
The New Status field allows for changing the status of an Active
alert before sending it on. The available options are:
When updating the status, the Location is recommended. If not specified, the Location defaults to centralus
.
This field sets the maximum number of passed alerts.
This node supports five modes for aggregating incidents.
- None: Never aggregate any incidents (default).
- Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
- Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
- Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
- Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.
Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921
©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.
EULA