Microsoft Sentinel Actions

Actions for Microsoft Sentinel #

• Send Data. Sends a custom set of Lucidum data to Microsoft Sentinel.

Use Cases #

Below are the possible use cases for the Send Data action:

• If you want to run Lucidum “headless”, you can send relevant data to Microsoft Sentinel on a regular schedule.

• You can send data to Microsoft Sentinel playbooks for remediation.

Prerequisites #

To configure an action for Microsoft Sentinel, you must first collect the following information:

• Workspace ID

• Primary Key

• Secondary Key

To do this:

1. Log in to the Azure Portal.

2. Navigate to the Log Analytics workspace (also called the Microsoft Sentinel workspace) where you store logs for Microsoft Sentinel. For more details, see https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview

3. Go to Settings > Agents.

   

4. Copy the Workspace ID, Primary Key, and Secondary Key.

Workflows #

• Creating a new Configuration and a new Action
• Cloning an Existing Action
• Creating a new Action from the Location Results page
• Editing a Configuration
• Editing an Action
• Viewing Information about an Action

Microsoft Sentinel Configuration #

• Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

• Workspace ID. The unique identifier for the workspace in Sentinel. The Lucidum data is sent to this workspace.

• Shared Key. The primary or secondary shared key for the account on Sentinel. This key is generated by Azure.

• Maximum number of records per Payload. Specify the number of records to send to Sentinel in each action.

Create or Edit an Action #

To create an action for Microsoft Sentinel:

1. In the Create a New Action page, in the General step, enter:

   

   • Action Type. Select an action from the pulldown options.

   • Configuration Name. Select an action configuration from the pulldown options.

   • Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.

   • Description. Description of the action.

2. Click the Next (>) icon.

3. In the Filters page, click Configure Filters.

   

4. The Build a Query page appears.

   

5. In the Build a Query page, you define the query for the assets or users that the action will act upon.

6. Click Next.

7. In the Build a Current Query page, enter the fields, operators, and values for the query. For existing actions, the query is already loaded in this page.

   
8. For details on creating and editing queries in Lucidum, see the section on Building Queries.

   NOTE: To optimize performance, the default time range is Current. If you need to access historical data, contact Lucidum Custom Success for help on using historical data without affecting performance.

9. Click the Apply (page and pencil) icon.

10. Click the Next (>) icon.

11. In the Schedule step, enter:

    

    • Schedule Type. Define the schedule for the action. Choices are:

      • Recurrence. Specify a frequency for the recurring schedule.

      • After Data Ingestion. The action is executed after data ingestion, which happens at least once every 24 hours and can also be triggered manually.

    • Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.

12. Click the Next (>) icon.

13. In the Details step, enter the following:

    

    • Output Fields. For the records selected with the Filters field, specify the columns to display. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button.

    • Sentinel Workspace Target Table Name. Name of the table in the Sentinel workspace where you want to store Lucidum data.

    • Dedupe Previous Jobs. In this field, you specify whether you want duplicates of asset IDs (if your query is for assets) or user IDs (if your query is for users). You can specify integers starting at 0 (zero).

      • If you specify “0” (zero), Lucidum includes all the records from the query in each execution of the action.

      • If you specify “1” (one), Lucidum examines the previous webhook payload and excludes records for asset IDs or user IDs that were sent in the payload of the last execution of the action.

      • If you specify “2” (two), Lucidum examines the last two webhook payloads and excludes records for asset IDs or user IDs that were sent in the payloads from the previous two executions of the action.