Versions Compared

Version Old Version 1 New Version Current
Changes made by

Shirly Tsang

Shukran Naqati

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

As part of the Data connector we are going to create/update Threat Intelligence Indicators using Microsoft Sentinel REST APIs. To use these REST APIs we need Azure Client ID(Application ID) and Client Secret. To generate this Client ID and Client Secret follow the steps mentioned in App Registration and Required Access

  1. Go to Microsoft Sentinel Workspace in which you have installed the template, go to Data Connectors, search for the Infoblox Data Connector.

...

  1. After clicking, you will be redirected to the actual configuration screen of the Data Connector.
    You need to provide the below information and click on the “Review + Create” button

    1. Infoblox Base Url: Base URL of Infoblox (Default value is present)

    2. Infoblox API Token: Infoblox’s API Token of InfobloxKey

    3. Confidence: To fetch the indicators greater than provided confidence score

    4. ThreatLevel:  To fetch the indicators greater than provided threat level

    5. Azure_Client_Id: Azure clientId of your app registered on Microsoft Entra ID

    6. Azure_Client_Secret: Azure clientSecret created in app in Microsoft Entra ID

    7. Azure_Tenant_Id: Azure Tenant ID found in Microsoft Entra ID

    8. Workspace ID: Provide Workspace ID.

    9. Workspace Key :Provide Workspace Key.
      You can find Workspace ID and Workspace Key in the Data Connector page itself.

      image-20240711-100030.png

    10. Log Level: Log level or log severity value. By default it is set to INFO

    11. AppInsightsWorkspaceResourceID: Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}.

      image-20240711-094028.pngNOTE: In this integration, We are going to create/update Threat Intelligence Indicators using Microsoft Sentinel REST APIs. To use these REST APIs we need Azure Client ID(Application ID) and Client Secret. To generate this Client ID and Client Secret follow below steps

      1. App Registration steps for the Application in Microsoft Entra ID
        This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:

        1. Sign in to the Azure portal.

        2. Search for and select Microsoft Entra ID.

          image-20240711-100541.pngImage Removed

        3. Under Manage, select App registrations

          image-20240711-100633.pngImage Removed

        4. Click on New Registration

          image-20240711-100940.pngImage Removed

        5. Enter a display Name for your application.

          image-20240711-101027.pngImage Removed

        6. Select Register to complete the initial app registration.

        7. When registration finishes, the Azure portal displays the app registration's Overview pane.

        8. You see the Application (client) ID and Tenant ID. The client ID and Tenant ID are required as configuration parameters for the execution of Infoblox MS Sentinel Data Connector.

      2. Add a client secret for application in Microsoft Entra ID

        1. Sometimes called an application password, a client secret is a string value required for the execution of Infoblox MS Sentinel Data Connector. Follow the steps in this section to create a new Client Secret

        2. In the Azure portal, in App registrations, select your application.

          image-20240711-101220.pngImage Removed

        3. From Manage, Select Certificates & secrets > Client secrets > New client secret.

          image-20240711-101513.pngImage Removed

        4. Add a Description for your client secret.

        5. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.

          image-20240711-101551.pngImage Removed

        6. Select Add.

        7. Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page. The secret value is required as a configuration parameter for the execution of Infoblox MS Sentinel Data Connector.

      3. Assign role of Contributor to application in Microsoft Entra ID

        1. In the Azure portal, Go to Resource Group and select your resource group.

          image-20240711-101659.pngImage Removed

        2. Go to Access control (IAM) from left panel.

          image-20240711-101809.pngImage Removed

        3. Click on Add, and then select Add role assignment.

          image-20240711-101848.pngImage Removed

        4. Select Contributor as role from Privileged administrator roles and click on next.

          image-20240711-102204.pngImage Removed

        5. In Assign access to, select User, group, or service principal.

          image-20240711-102132.pngImage Removed

        6. Click on add members and type your app name that you have created and Select it. Now click on Review + assign and then again click on Review + assign.

...

    1. Enter all the details in the connector deployment page and click on Review + Create

  2. Now click on the “Create” button to install the Data connector.

...

6.After that you can see the deployment status as shown in the image below.

...

  1. Once the data connector gets installed successfully. It can be found under the Function App

  2. Search and go to the “Function App”

...