Rumble Network Discovery solution for Microsoft Sentinel

Enables organizations to enrich their Microsoft Sentinel queries with an export of asset information and receive alerts when new assets are discovered on the network or high value assets are modified.

Comment 2

Rumble Network Discovery solution for Microsoft Sentinel

The Rumble Network Discovery solution for Microsoft Sentinel is a network domain solution that enables organizations to enrich their hunting queries with a daily export of asset information, as well as receive alerts when new assets are discovered on the network or high value assets are modified.

Inspiration

My main inspiration for the project was to develop a network domain solution that adds meaningful value to a security team during an incident using information that isn't readily available from other solutions.

For example, consider a scenario in which a hidden Linux device was found connected to the network, and we suspect it was implanted by a malicious adversary. As a security analyst I might have the following questions:

  • When exactly was the Linux dropbox first connected to the network?
  • How many assets in my environment have administrative interfaces open to the network (e.g. web interfaces, RDP or SSH ports, etc) that may be abused by the attacker for lateral movement?
  • What assets in my environment have uncommon TCP/UDP ports exposed, that may indicate suspicious activity worthy of investigation?
  • Were any high value assets modified at the network level (e.g. new remote services exposed) following the breach?

Answering these questions with EDR telemetry or firewall logs alone can be cumbersome, complicated and time-consuming, but it becomes trivial with the Rumble Network Discovery solution for Microsoft Sentinel.

What it does

Put simply, the solution queries the Rumble Organization API and retrieves a daily inventory of all assets discovered by the platform. This asset information is sent to Microsoft Sentinel where it can be used to enrich hunting queries with contextual network information and provide insights. It also acts as a webhook to receive alerts from the Rumble console when new or changed assets are discovered on the network, which in turn generates alerts/incidents in Microsoft Sentinel for security analysts to investigate in a single pane of glass.

How it works

The Rumble Network Discovery solution consists of the following resources:

Note: the deployment template for this solution was developed entirely using Bicep, so you can re-use the resource declarations and other components of this project as a reference for your own Microsoft Sentinel solutions in the future.

  • Data Connector, to ingest data into Microsoft Sentinel using the Log Analytics Data Collector API:
    • An Azure Functions app using the PowerShell 7.0 runtime, including:
      • A function with a timer trigger to fetch a daily export of asset information from the Rumble Organizations API (ingested into the RumbleAssets_CL table)
      • A function with a HTTP trigger to capture alerts for new and modified assets from the Rumble console (ingested into the RumbleAlerts_CL table).
    • A Key Vault, to securely store and retrieve secrets such as the Rumble Organization API key and Log Analytics workspace key. The Azure Functions app uses a system assigned managed identity to retrieve secrets using role-based access control rather than access policies.
    • A Microsoft Sentinel data connector GUI, to monitor the connectivity status of the solution.
  • Parsers, to filter and manipulate the raw data received from the Rumble API and rules engine (named RumbleAssets and RumbleAlerts respectively).
  • Workbook, to monitor and provide insights into the Rumble asset information, such as:
    • Most seen asset types, operating systems and hardware
    • Most seen TCP/UDP ports, protocols and products
    • An easily-searchable export of the Rumble asset information
  • Hunting Queries, to investigate the environment:
    • List all assets with exposed web interfaces using HTTP/S
    • List all Windows assets that have not sent security event logs to Microsoft Sentinel in the last week
    • Summarize all assets by exposed TCP/UDP ports
  • Watchlist, containing a list of high value assets that should be monitored for unauthorized network changes.
  • Analytic Rules, to alert security analysts when:
    • New assets are discovered on the network
    • High value assets have been modified at the network level (e.g. newly exposed services) using the aforementioned watchlist.

Challenges I faced

My biggest challenge was in attempting to use the Codeless Connector Platform (currently in preview) to retrieve asset information from the Rumble Organization API, rather than use Azure Functions for the task. While I was able to create a working connector and successfully deploy it using Bicep, I couldn't figure out how to lengthen the polling window so the connector would query the API daily despite the documentation indicating it should be possible. Eventually I chalked it up to a bug and settled for using an Azure Functions app, since otherwise I was going to need to create a Logic App to act as the webhook to receive the Rumble alerts anyway.

What I learned

My biggest takeaway from the project was that Bicep is incredibly powerful and makes deploying Infrastructure as Code a breeze compared to ARM templates, which are hard to read and much more cumbersome to author. I also learned how to develop an end-to-end solution for Microsoft Sentinel from scratch and leverage cloud-native technologies such as Azure Functions.

Built With

  • azure-functions
  • bicep
  • kql
  • microsoft-sentinel
  • powershell
Share this project:

Updates