This guide provides instructions for installing and configuring the Bitsight–Microsoft (MS) Azure Sentinel integration.
Access to and use of the Bitsight for Microsoft Sentinel Connector is subject to the Bitsight for Microsoft Sentinel Connector Terms of Service (the “Bitsight Terms”) and any other terms of service or use noted herein.
Navigation
- Installing the Bitsight Integration
- Installing the Data Connector
- Installing Parsers
- Viewing the Bitsight Workbook
- Installing Analytic Rules
Installing the Bitsight Integration
- Log in to the Azure portal and search Microsoft Sentinel.
- Select your workspace, then open the Content Hub and search for Bitsight.
- Select Bitsight from the results to open a side panel
- Select Install.
- On the next screen, select Create.
- Select a workspace and resource group, then select Review + create.
- Review your selections, then select Create. This installs the Bitsight integration in your instance of MS Sentinel.
Installing the Data Connector
- Open the Content Hub and search for Bitsight.
- Select Bitsight, then select the Manage button. This opens a list of data connectors, workbooks, playbooks, analytic rules, and parsers included in the connector.
- Select the data connector, then select Open connector page.
- Review the instructions, then select Deploy to Azure. This opens the custom deployment page.
- Fill in the required Project and Instance details. This includes information such as:
- Resource group
- Workspace ID
- Workspace Key
- Your Bitsight API_token
- Select the Review + create button.
- Select the Create button. Your custom template is now deployed; you can check its status from the Custom deployment page.
Installing Parsers
You must install and save all included parsers. The workbook and analytic rules use parsers to normalize fields; without them, workbook and analytic rules won’t be able to access the ingested data.
- Select the parser you want to deploy. This opens a side panel.
- Select Load the function code to open the Log Analytics Workspace.
- Save the parser as a function.
- Locate the table name (highlighted below).
- Select the Save dropdown, then select Save as function
- Enter the function name that corresponds to your current parser’s table name. Table names and function name equivalents are listed below.
- BitSightAlerts Parser → BitSightAlerts
- BitSightBreaches Parser → BitSightBreaches
- BitSightCompanyDetails Parser → BitSightCompanyDetails
- BitSightCompanyRatings Parser → BitSightCompanyRatings
- BitSightDiligenceHistoricalStatistics Parser → BitSightDiligenceHistoricalStatistics
- BitSightDiligenceStatistics Parser → BitSightDiligenceStatistics
- BitSightFindingsData Parser → BitSightFindingsData
- BitSightFindingsSummary Parser → BitSightFindingsSummary
- BitsightGraphData Parser → BitSightGraphData
- BitSightIndustrialStatistics Parser → BitSightIndustrialStatistics
- BitSightObservationStatistics Parser → BitSightObservationStatistics
- BitSightWorkFromHome Parser → BitSightWorkFromHome
- Enter a legacy category. You may enter whatever you choose as a legacy category, but the field must not be empty.
- Select the Save button.
- Repeat this process for all parsers.
Viewing the Bitsight Workbook
Workbooks provide a flexible canvas for data analysis and the creation of rich visual reports within the Azure portal.
- Open Microsoft Sentinel.
- Open the Workspace where the Bitsight solution is installed.
- In the Threat Management section, select Workbooks.
- Select the Templates tab.
- Select the Bitsight Workbook. This opens a side panel.
- Scroll to the bottom of the side panel and select View Template.
Installing Analytic Rules
The Bitsight connector includes ten analytic rules users can install to:
- Search for specific events or sets of events across your environment.
- Alert you when certain even thresholds or conditions are reached.
- Generate incidents in Sentinel.
The Bitsight connector includes the following analytic rules that can be installed:
- Alert when there is a drop of 10% or more.
- Alert when there is a new alert from Bitsight.
- Alert whenever there is a Compromised Systems finding in Bitsight.
- Alert whenever there is a Diligence finding in Bitsight.
- Alert whenever there is a drop in the headline rating.
- Alerts for a new breach.
- Alerts when there are new Bad Open Ports discovered.
- Alerts when there are new Botnet Infections.
- Alerts when there is a new finding for Patching Cadence.
You must install at least one analytic rule for the Bitsight solution to function.
- Open the Content Hub and search for Bitsight.
- Select Bitsight, then select the Manage button.
- Select the rule you want to deploy, then select the Configuration button.
- On the next screen, select the Rule templates tab.
- Select the rule you want to deploy, then select Create rule.
Feedback
0 comments
Please sign in to leave a comment.