Many organizations use Slack and Microsoft Teams for secure collaboration across teams, departments and offices. Azure Sentinel can be used by security teams at these organizations to secure and monitor Slack.
What it does
One of the great features of Azure Sentinel is its ability to ingest and analyze data from any source not just from Microsoft products. Our project is an end-to-end solution to enable enterprises that use slack onboard to Azure Sentinel.
Our Project is made up of:
- Log Agent
- Azure Sentinel Detections and Hunting Queries
Log Agent collects logs from Slack and ingests them into Azure Sentinel Log Analytics WorkSpace. Setup script deploys Log Agent as a Cron Job that runs at intervals defined by the user. You can also setup the Log agent in Azure VM. On Windows machine, you can run setup the file 'setup.py' as a scheduled task.
After the data is available in Azure Sentinel Log Analytics WorkSpace, cybersecurity experts at companies that use slack can use Detections and Hunting Queries to monitor Slack activity.
How we built it
Log Agent is built using Python. Azure Sentinel is used for Detections and Hunting Queries.
Challenges we ran into
Building the log agent using Slack API was challenging since not all APIs are available for free tier. Since this was our first cybersecurity project, it was initially difficult to visualize our product.
Accomplishments that we are proud of
We were able to use Azure Sentinel to show that it can be used to monitor even products that are not created by Microsoft.
What we learnt
Learning about all the features of Azure Sentinel made me more interested to explore the field of CyberSecurity.
Steps to Secure Slack with Azure Sentinel:
Step 1: Create a Slack API token for log collection. Refer to our Github Repository's Readme file for detailed steps.
Step 2: Create Azure Sentinel WorkSpace and get the credentials(AZURE_LOG_ANALYTICS_WORKSPACE_ID and AZURE_CLIENT_AUTHENTICATION_KEY).
Step 3: Clone repository 'SecureSlackWithAzureSentinel' using the following git command:
git clone https://github.com/msvdpriya/SecureSlackWithAzureSentinel.git
Step 4: Configure Credentials that you got in Step 1 and Step 2 in the setup.py file of the Log agent. Edit the following variables in the file and set the credentials as their values:
Step 5: Run setup.py (This step will setup Log Agent)
NOTE: python and pip3 are prerequisites to run the setup.py file. All other requirements will be downloaded when you run setup.py file.
This step will also configure crontab in your machine that will run the app.py script(Log Agent) periodically to fetch logs from Slack API and upload it to Azure Sentinel Log Analytics workspace. On Windows machine, you can run setup the file 'setup.py' as a scheduled task.
Step 6: Verify that the logs are being pushed to Azure Sentinel Log Analytics Workspace. Step 7. Use the KQL queries that are present in detections and hunting folders of the project to detect and hunt for cybersecurity threats on Azure Sentinel.