Microsoft Microsoft Azure Sentinel - SecurID Cloud Administration API with CAS Configuration - RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Oct 15, 2020Last modified by RSA Information Design and Development Employee on Oct 21, 2020
Version 3Show Document
  • View in full screen mode

This section describes how to integrate Microsoft Azure Sentinel with RSA Cloud Authentication Service using SecurID Cloud Administration Add/Remove High-Risk User APIHigh Risk User API.

Architecture Diagram

Configure RSA Cloud Authentication Service

Use the Cloud Administration Retrieve High-Risk User List API to retrieve users who have been marked as high risk. Accounts for these users may have been compromised. A security information and event management (SIEM) solution, such as Microsoft Azure Sentinel, may mark users with suspicious activity as high risk.

 

Configure Microsoft Microsoft Azure Sentinel

Perform these steps to configure Microsoft Microsoft Azure Sentinel as an High-Risk User API client to RSA Cloud Authentication Service.

Procedure

  1. Login to Azure portal and browse to Azure Sentinel Workspaces and select the relevant workspace.
  2. In selected workspace, browse to Playbooks.
  3. Click on Add Playbook and then create a new Logic App for the new playbook.
  4. Note: Azure might ask to login again to proceed.

  5. Once the Playbook is created, browse to Logic App designer and click to add Blank Logic App.
  6. Within Logic App, search for available template as "Sentinal" and select the “When a response to an Azure Sentinel alert is triggered”.
  7. Click New Step
  8. Get the risky user identifiers from the trigger, here is the list of supported user identifier.
  9. Type "alert" in the search and select the "Alert - Get hosts"
  10. Select Entities from the content list
  11. Note: In case the relevant user identifier exists in a different field then use an appropriate fact from the available options.

  12. Send the risky users to RSA SecurID Cloud Authentication Service. The “Cloud Administration Add/Remove High-Risk User API” documentation can be found in https://community.rsa.com/docs/DOC-101486. In this step, for each of the users the system will trigger the API by filling HTTP POST. Click “New step” and type “For each” in the search and select the “For each” control. (The assumption is that an alert can contain multiple users)

  13. Select “Hosts” as relevant output from the previous step. In this step we want to create the username in a form that will be consumable by the Risky Users API. In the example below the username information appeared as “hostname” in the analyzed syslog.

  14. Click on Add an action and search for “Add comment to incident”.

  15. Fill the necessary information. This is an optional step and suggested for debugging purposes.

  16. Click on Add an action and search for “HTTP”. This is an optional step and suggested for debugging purposes.

  17. Fill the relevant information to populate POST request.

  18. Note - As mentioned above, the user should be form that will be consumable by the Risky User API, so in your case it might look like “username”@”DNS domain” (@ instead of a dot).

    Note: More about authorization could be found in - https://community.rsa.com/docs/DOC-96949

  19. As an example, the JWT should contain the following information:

  20. {"typ": "JWT", "alg": "RS256" }.{ "sub": (API key), "iat": (date), "exp": (date), "aud": "https://irp-sym.access-dev.securid.com/AdminInterface/restapi/" }.[Signature]

    Click Save to save the logic App.

    Return to the main page for more certification related information.

 

 
You are here
Microsoft Microsoft Azure Sentinel - SecurID Cloud Administration API with CAS Configuration - RSA Ready SecurID Access Implementation Guide

Attachments

    Outcomes