How we built it
To be concise, we developed the data connectors using python and JSON and ingested the audit logs from Wrike and normalized the log table using our parser which we made using KQL. Using these datasets, we developed our very own analytic rules and hunting queries as well as workbooks for visualizing the dataset and playbooks for creating an automated response to potential threats.
Challenges we ran into
These were a few of the significant challenges we ran into:-
- While writing hunting queries we faced an issue regarding the joining of tables in KQL and comparing columns to detect lateral movement of malicious files.
- While accessing the resource group to fetch data for the function app to ingest data into azure monitor.
- While designing the playbook we ran into multiple issues regarding O365 connector and during creation of an incident table using HTML5.
- While templatizing the playbook we had issues deploying it using ARM.
Accomplishments that we're proud of
- Our solution is very comprehensive and provides content for almost all scenarios that may arise in a Wrike environment.
- Our hunting queries gives a holistic view for proactive hunting.
- We have provided a manual deployment method for our Data Connector that is very simple to use and maintain.
What we learned
Even though it was time taking and we had to troubleshoot frequently, we learned a great deal about azure and its services along with the security features of Sentinel which is a relatively new SIEM and SOAR solution. We also got to experience the development of an end-to-end product and the verbose documentations and information we had to go through provided us with a great deal of insight into cloud based security.
What's next for Secure_WRIKE_using_AZURE_SENTINEL
Our product, like all others, are open to more improvements covering rare scenarios that may arise at a later time along with patching of bugs, if any. We also have plans for including more advanced form of hunting queries and also providing a Wrike connector for Microsoft Azure Playbooks so that users can directly communicate with the Wrike API from within Azure logic apps.