Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 3 Next »

What does the integration offer?

Compass offers a webhook integration with Azure Sentinel. Compass acts as a dispatcher for Azure Sentinel incidents, determines the right people to notify based on on-call schedules, notifies via email, text messages (SMS), phone calls, and iOS and Android push notifications, and escalates alerts until the alert is acknowledged or closed.

How does the integration work?

  • When an incident is created in Azure Sentinel, an alert is created in Compass.

  • When an incident is closed in Azure Sentinel, the related alert is closed in Compass.

Set up the integration

Azure Sentinel is an API-based integration. Setting it up involves the following steps:

  • Add an Azure Sentinel integration in Compass

  • Configure the integration in Azure Sentinel

Add an Azure Sentinel integration

In this release, only incoming integrations are fully supported in the Standard plan, at a team level. To use outgoing integrations or the outgoing part of bidirectional integrations, upgrade to a higher subscription plan. There may be restrictions on how you can create and apply integration rules as well.

You can add this integration only from your team’s operations page. Adding an integration from your team’s operations page makes your team the owner of the integration. This means Compass only assigns the alerts received through this integration to your team.

To add an Azure Sentinel integration in Compass, complete the following steps:

  1. Go to your team’s operations page.

  2. On the left navigation panel, select Integrations and then Add integration.

  3. Run a search and select “Azure Sentinel”.

  4. On the next screen, enter a name for the integration.

  5. Optional: Select a team in Assignee team if you want a specific team to receive alerts from the integration.

  6. Select Continue.
    The integration is saved at this point.

  7. Expand the Steps to configure the integration section and copy the API key.
    You will use this key while configuring the integration in Azure Sentinel later.

  8. Select Turn on integration.
    The rules you create for the integration will work only if you turn on the integration.

Configure the integration in Azure Sentinel

To configure the integration of Azure Sentinel with Compass, complete the following steps:

  1. Create a logic app using Azure Deploy Template.

  2. Enter values for Subscription and Resource Group.

  3. Select the Azure Sentinel workspace.

  4. Enter a name in Logic App Name.

  5. Optional: If required, change the Compass endpoint.

  6. Paste the API key previously copied from Comapss into Api Key.

  7. Select Review + Create.

azure_sentinel_config.png

Sample payload sent from Azure Sentinel

(in JSON format)

{
  "id": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "description": "This is a demo incident",
  "title": "My incident",
  "severity": "Low",
  "status": "New",
  "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "labels": [
    {
      "labelName": "My label",
      "labelType": "User"
    }
  ],
  "resourceGroupName": "myRg",
  "workspaceName": "myWorkspace",
  "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0"
}

 

  • No labels