Actions for Microsoft Sentinel #
-
Send Data. Sends a custom set of Lucidum data to Microsoft Sentinel.
Use Cases #
Below are the possible use cases for the Send Data action:
-
If you want to run Lucidum “headless”, you can send relevant data to Microsoft Sentinel on a regular schedule.
-
You can send data to Microsoft Sentinel playbooks for remediation.
Prerequisites #
To configure an action for Microsoft Sentinel, you must first collect the following information:
-
Workspace ID
-
Primary Key
-
Secondary Key
To do this:
-
Log in to the Azure Portal.
-
Navigate to the Log Analytics workspace (also called the Microsoft Sentinel workspace) where you store logs for Microsoft Sentinel. For more details, see https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview
-
Go to Settings > Agents.
-
Copy the Workspace ID, Primary Key, and Secondary Key.
Workflows #
- Creating a new Configuration and a new Action
- Cloning an Existing Action
- Creating a new Action from the Location Results page
- Editing a Configuration
- Editing an Action
- Viewing Information about an Action
Microsoft Sentinel Configuration #
-
Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.
-
Workspace ID. The unique identifier for the workspace in Sentinel. The Lucidum data is sent to this workspace.
-
Shared Key. The primary or secondary shared key for the account on Sentinel. This key is generated by Azure.
-
Maximum number of records per Payload. Specify the number of records to send to Sentinel in each action.
Create or Edit an Action #
To create an action for Microsoft Sentinel:
-
In the Create a New Action page, in the General step, enter:
-
Action Type. Select an action from the pulldown options.
-
Configuration Name. Select an action configuration from the pulldown options.
-
Action Name. Identifier for the action. This name will appear in the Luci
-