With the Azure based Orchestrator there is no need to provision any hardware in your Organizations infrastructure. The only requirement here is that you are making use of Azure AD to house your employee information. The only information required from Azure AD for the SafeTitan Real Time functionality to work is visibility of the identifier for the user in the SafeTitan portal (typically the users email address). Configuration for granting this access is detailed below.
Aside from the technical requirements documented above, Real Time will need to integrate with a SIEM technology. Listed below are the currently supported applications.
- MS Sentinel
- DTEX Agents
SafeTitan’s Azure based Real Time Response Orchestration processes is comprised of two main components. The Orchestrator and a supported Network monitoring technology such as a SIEM.
The Orchestrator comes in two flavors, On - Premise and Cloud (Azure). For the purposes of this article, we will be discussing the cloud (Azure) installation.
The Orchestrator is effectively an API that provided integration between your SIEM and SafeTitan's Real Time functionality. The Orchestrator receives messages from your SIEM informing of pre-configured events of interest such as an employee downloading malicious software. The Orchestrator will only require the name of the alert that was triggered (an identifier) and also an identifier for the user that performed the action. The Orchestrator will in turn integrate with you Azure AD, and in using the user identifier as a lookup, will retrieve the information (typically the users email) required by SafeTitan to respond to that user. Finally the Orchestrator will create and enrich a message to be passed to SafeTitan's Real Time engine informing it of the action that has taken place the offending user.
Supported SIEM / Network Monitoring Application
In order for a Network monitoring application to communicate with the Orchestrator, it must make use of an appropriate web-hook exposed by the Orchestrator. Depending on the chosen technology, the integration with the web-hook will be different.
LogRhythm alarms can be created to be triggered based on specific criteria such as a Domain Account being created on a Removable storage device being detected. When this alarm triggers, the information must be passed the Orchestrator. In order for LogRhythm to make use of the web hook, it makes use of a Feature called a Smart Response. The Smart Response basically allows us to define a PowerShell script that accepts a collection of parameters passed from the alarm instance. The PowerShell script will in turn pass this information to the Orchestrator. We will look at the Smart Response configuration a little further into the document.
Splunk Enterprise Security (ES) is a security information and event management (SIEM) solution. Alarms created in Splunk can be configured to forward data to a Web hook when the alarm has been triggered. The Web hook should be configured to forward information to the Orchestrator. Configuring the Web hook in a Splunk alarm is discussed later in the document.
Currently support for Splunk and LogRhythm is implemented and ready to use. Solutions for other technologies (such as Logpoint, MS Sentinel & DTEX Agents) are also available but may need some customization's from SafeTitan. These customization's or functionality extensions would typically have a turnaround time of 1-2 weeks and would require collaboration with technical / network team on the Organisations side.
Creation of Application Registration in Azure AD
As mentioned above, the Azure Orchestrator needs to be able to request information about the offending users from Azure AD. It does this to retrieve the identifiers needed to communicate the Real Time Response to the user. In order to allow the Orchestrator to interact with Azure AD via MS Graph API, an application registration must be created and configured grant Read access to users. The application registration can be set up as illustrated below:
Register the SafeTitan portal within Microsoft App Registration portal
- To register the application in the Microsoft App Registration portal, navigate to your Azure portal : https://portal.azure.com/
- In the left-hand navigation pane, click on Azure Active Directory.
- Click on App Registrations and click on New application registration.
- Set the following values in the form:
- Name: SafeTitan
- Supported Account Types: Default option
- Redirect URI: This will be the domain of your SafeTitan portal
- Once you've completed registration, Azure AD will assign your application a unique client identifier, the Application ID. You need this value in the next sections, so copy it from the application page. The Application ID can be found on the Overview screen of your App registration. Take note of this value.
Generate Application Secret
The next step is to generate an application secret. Your SafeTitan instance will use this value to prove its identity when connecting to Azure.
- Select the Certificates & Secrets tab.
- In the next screen, click New client secret. Provide a description and select an expiration date.
- Once you've created the Client Secret, please take note of the secret value, as this field will be needed when configuring the Azure AD Sync Configuration on the SafeTitan portal.
Configure permissions for Microsoft Graph on your app.
Now we need to configure the permissions granted to the SafeTitan App. We need Directory.ReadAll access.
- Click API Permissions.
- Click Add a Permission
- In the dialog that appears, select Microsoft APIs and Microsoft Graph
- Next, select Application Permissions
- Search for the permission Directory.Read.All and add the permission.
- In the API permissions screen, click the button Grant admin consent for ...
This will effectively approve the permission request for the application.
After configuring the application registration, the next step is to update your Orchestrator configuration with the SafeTitan portal.
- Navigate to your SafeTitan portal.
- Select Real-Time Integrations from the side menu.
- Select Orchestrator Settings.
- Click the button Generate Orchestration Package (This will add a new Orchestrator configuration to the grid.)
- In the grid, select the edit button next to the Orchestrator package that was generated.
In the form that is displayed, provide values for the attributes below:
Name: This is the label you wish to give the Orchestrator. This can be a useful identifier in a multi-orchestrator setup.
Tenant ID: This should be the name or ID of your Azure Tenant.
Application ID: This should be the value provided for your Application ID during the Application Registration in Azure (Above).
Application Secret: This should be the value provided for your Application Secret during the Application Registration in Azure (Above).
Event Grid endpoint: This is a pre-populated field containing the endpoint used by the Orchestrator to forward events to SafeTitan cloud platform.
Event Grid Shared Access Signature: This is a pre-populated field that is used to authenticate connections to the Event Grid endpoint.
AD Identifier: The value here is defaulted to mail. It should be the Azure AD attribute that houses the users SafeTitan username.
To save the changes here, click Save.
This concludes the Orchestrator setup.
Next steps would to now begin integration with your chosen SIEM / Network monitoring application. There is a separate document for each applications integration set up.