×
Azure Security Center (ASC)
Azure Security Center (ASC)

Overview

The Microsoft Azure Security Center (ASC) plugin adds the ability to list alerts, get an alert’s details, and update an alert’s status.

Functionality

The Security Flow Azure Security Center plugin provides the ability to

  • retrieve filtered alerts periodically or when manually triggered
  • retrieve all information for a specific alert
  • update the status for a specific alert

Instance Configuration Parameters

Property
Description
Instance Name

Name for the Azure Security Center instance.

Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.

Authentication Mechanism

The authentication mechanism to use for accessing the Azure Security Center. Currently, Azure AD v1.0 Authorization Token using Secret is the only supported mechanism.

Tenant ID

The Azure AD Tenant (Directory) ID hosting the application.

Application ID

The Application ID (service principle) used with the Azure AD v1.0 Authorization Token using Secret authentication mechanism. Within Microsoft Azure, the application must be added to the Subscription with a role capable of performing those actions, such as Owner.

Client Secret

The client secret of the application used with the Azure AD v1.0 Authorization Token using Secret authentication mechanism.

Flow Nodes

This node provides access to retrieve alerts and update the status of alerts using the Azure Security Center (ASC) REST API.

To be able to perform the ASC REST API calls, an application (service principle) within Azure AD must be delegated the user_impersonation scope from within the Azure Service Management. Within the Microsoft Azure Portal, the application must be added to the Subscription with a role capable of performing those actions, such as Owner. For more details, read through the Register an application with Azure AD and create a service principal page.

Property
Description
Name

The display name of the node within the flows.

Unique ID

System-wide unique ID of the plugin instance.

Action

Configuration option determining the type of operation to perform:

  • Get Alert: Retrieves the details of an alert using the supplied Alert Name, which is a unique ID number.
  • Update Alert Status: Updates the status of an alert specified by Alert Name. Possible alert status values are: Active, Dismissed, or Resolved.

Successful results for an action are placed in msg.payload.asc.[uniqueId].response.

Subscription ID

Azure Subscription ID, in UUID format, obtained from the Microsoft Azure portal (https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).

If Standard Subscription ID Location is selected, the subscription ID is obtained from the response object within subscriptionId. The Standard Subscription ID Location is set by the NL-ASC-Alert-Query node.

Resource Group

The resource group for the alert. This may be left as Not Specified to be ignored.

Location

The location for the alert. This may be left as Not Specified to be ignored when performing an action of Get Alert. If left as Not Specified when performing an action of Update Alert Status, this will be set to centralus.

Alert Name

The identifier for the alert being retrieved or whose status is being updated. If Standard Alert Location is selected, the alert name is obtained from the response object within alert.name. The Standard Alert Location is set by the NL-ASC-Alert-Query node.

This node provides Azure Security Center (ASC) capabilities for polling Active security alerts. Retrieves the list of all alerts from the Azure Security Center (ASC) based on the specified Subscription ID(s), Resource Group, and Location. At the time of this writing, the supported Location values are centralus and westeurope. Because the API does not support filtering of alerts, all alerts are returned, regardless of Severity or current status. The filtering of alerts based on a status of Active and the selected Severity values is performed after pulling in the alerts.

To be able to perform the ASC REST API calls, an application (service principle) within Azure AD must be delegated the user_impersonation scope from within the Azure Service Management. Within the Microsoft Azure Portal, the application must be added to the Subscription with a role capable of performing those actions, such as Owner. For more details, read through the Register an application with Azure AD and create a service principal page.

Property
Description
Name

The display name of the node within the flows.

Unique ID

System-wide unique ID of the plugin instance.

Repeat

Use Repeat to define how often a query for alerts is triggered. The left inject button on this node is used to immediately trigger the retrieval of alerts. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.

Subscription IDs

The Subscription ID(s) may be a single subscription ID or a comma separated list of subscription IDs.

Azure Subscription ID, in UUID format, obtained from the Microsoft Azure portal (https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).

Resource Group

The resource group for the pulled alerts. Leave blank to ignore this field.

Location

The ASC location for the pulled alerts. Leave blank to ignore this field.

Severity

The set of selected severity values to filter alerts by.

New Status

The New Status field allows for changing the status of an Active alert before sending it on. The available options are:

No Update
Status is left as Active.
Dismiss
Status is updated to Dismissed.
Resolve
Status is updated to Resolved.

When updating the status, the Location is recommended. If not specified, the Location defaults to centralus.

Size Limit

This field sets the maximum number of passed alerts.

Aggregetion

This node supports five modes for aggregating incidents.

  • None: Never aggregate any incidents (default).
  • Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
  • Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
  • Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
  • Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.

EULA