In this use case, we will use the Sentinel Action to send data to a data lake on Sentinel. This is also known as running Lucidum “headless”, because Sentinel users do not have to interact with Lucidum to use the data from Lucidum.
Suppose that every day, you want to send a list of newly found compute assets to a dashboard running in Sentinel.
You could create a query that specified:
-
show all the assets where Compute Asset is set to “yes”
You could then:
-
specify that you want to use the query results in a Sentinel Action
-
select the fields to include for each record in the payload of the action.
-
Specify how frequently to send the webhook
Structure of Actions #
Actions include two pieces
-
A configuration that provides the connection and authorization information to communicate with the external solution.
-
An action that specifies the task to execute, the data to include in the action, and how frequently to execute the action.
Defining the Sentinel Configuration #
To create an action in Lucidum, follow these steps:
-
Login to Lucidum.
-
Choose Action Center from the left pane.
-
In the Action Center, choose Microsoft Sentinel in the Channels pane.
-
To create a configuration for the action, click the Manage Configuration button. A configuration provides the connection and authorization information to communicate with the external solution.
-
The New Microsoft Sentinel Configuration page appears.
-
In the New Microsoft Sentinel Configuration page, enter the following:
-
Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.
-
Workspace ID. The unique identifier for the workspace in Sentinel. The Lucidum data is sent to this workstpace.
-
Shared Key. The primary or secondary shared key for the account on Sentinel. This key is generated by Azure.
-
Maximum number of records per Payload. Specify the number of records to send to Sentinel in each action.
-
In this example, we specified 100 records per execution of the action.
-
-
-
Save the configuration.
Defining the Sentinel Action #
-
Login to Lucidum.
-
Choose Action Center from the left pane.
-
In the Action Center, choose Microsoft Sentinel in the Channels pane.
-
To create an action, click the Create a new action button. An action specifies the task to execute, the data to include in the action, and how frequently to execute the action.
-
The Create a new action page appears.
-
In the Create a new action page, specify the following:
-
Action Type. This field is pre-populated with Send Data.
-
Configuration Name. Select an action configuration from the pulldown options.
-
Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.
-
Description. Description of the action.
-
Filters. For new actions, the Add Filter button leads to the New Query page, where you can query for the assets or user records that you want to send to Sentinel. For existing actions, this field displays the query for this action. The Edit Filter button leads to the New Query page, with the current query already loaded for editing.
-
In this example, we specified we want to collect data about all computer assets.
-
-
Schedule Settings. Define the schedule for the action. Choices are setting a Recurrence by date and time or After Data Ingestion, which happens at least once every 24 hours and can also be triggered manually.
-
In this example, we specified run daily at 11:00AM.
-
-
Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.
-
In this example, we did not define a prerequisite.
-
-
Output Fields. For the records selected with the Filters, specify the columns to include in the payload to send to Sentinel. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button. In this example, we want to send the following data about each compute asset:
-
Data Category
-
Data Sources
-
Email
-
First Time Seen
-
Last Time Seen
-
Lucidum Asset Name
-
Vendo
-
Lucidum OS Category
-
Lucidum OS Version
-
Source Asset Name
-
Location
-
Department
-
Region
-
Cloud Account
-
Instance Type
-
Lucidum Status
-
MAC Vendor
-
Ports
-
Public Facing (yes/no)
-
Country Name
-
Record Generated Time
-
Risk Level
-
OS and Version
-
Running Linux
-
Running MacOS
-
Running Windows
-
Running Other
-
-
Sentinel Workspace Target Table Name. Name of the table in the Sentinel workspace where you want to store Lucidum data.
-
In this example, the table on Sentinel is LucidumAssetDemo.
-
-
Dedup previous jobs. In this field, you specify whether you want duplicates of asset IDs (if your query is for assets) or user IDs (if your query is for users). You can specify integers between 0 and the number specified in Settings > Data Settings > Action Result Retention in Days. This setting specifies the number of days that Lucidum stores action results.
-
If you specify “0” (zero), Lucidum includes all the records from the query in each execution of the action.
-
If you specify “1” (one), Lucidum examines the previous webhook payload and excludes records for asset IDs or user IDs that were sent in the payload of the last execution of the action.
-
If you specify “2” (two), Lucidum examines the last two webhook payloads and excludes records for asset IDs or user IDs that were sent in the payloads from the previous two executions of the action.
-
-
-
Save the action.
-
Lucidum automatically executes the action at the time and recurrence you defined in the action.
-
You can execute the action “on demand” by clicking the Send Now button.
Viewing the Data in Sentinel #
In Sentinel, in the LucidumAssetDemo table looks like this after executing the action:
In Sentinel, we can create a dashboard from the Lucidum data: