Sample Microsoft Defender and Sentinel Integration

In this sample integration, the customer connected their Microsoft system with the Arctic Wolf ticketing system.

This customer uses Microsoft Defender and Microsoft Sentinel. Their automation creates Microsoft Defender and Microsoft Sentinel alerts automatically. When the Microsoft incident closes, the Arctic Wolf ticket automatically closes. They tested this configuration in the Microsoft Sentinel workspace.

Tools used

  • Microsoft Defender — Security suite containing many tools
  • Microsoft Sentinel — Security Information and Event Management (SIEM) tool
  • Azure Logic Apps — Automation tool

Automation workflow for creating alerts in a Microsoft environment

  1. The REST API Poller runs on a scheduled basis to poll the Ticket API.

    You can customize the frequency in the package before deployment using the queryWindowInMin value. Queries are automatically windowed based on query time using the updatedAfter field.

  2. Data Collection Rules control the incoming and outgoing data stream.

    These rules extend the updatedAt value in Arctic Wolf tickets to the TimeGenerated field in Microsoft alerts. These rules can also filter incoming records as needed.

  3. Data is written to a custom table of Arctic Wolf tickets.
  4. The Microsoft Sentinel analytic rule queries the custom table of Arctic Wolf tickets and generates the Microsoft Defender or Microsoft Sentinel alert.

Workflow of the Microsoft ticket creation automation.

Microsoft Sentinel analytic rule

The customer wrote a custom near-real-time (NRT) rule that performs these steps:
  1. Prefix all alerts with AW for source transparency.
  2. Filter out events with a Closed or Solved status.
  3. Create a field called URL which maps to the Alert Details AlertLink parameter.

    This creates a clickable link directly to the ticket in the Arctic Wolf Unified Portal, which is accessible through the Tickets and Alerts page. For more information, see Tickets and Alerts. You must update the alert query that is provided with your Arctic Wolf Organization ID. Search for extend URL = strcat.

  4. Map the Ticket API status field values to the Unified Portal values. For more information, see Ticket status mapping.
  5. Extract the Arctic Wolf severity to a custom field, and then map it to the Alert Details Severity parameter.
  6. Add a custom field that indicates the detection source is Arctic Wolf.
  7. Query the SecurityAlert table based on the custom detection source and source ID fields, and then filter the creation of new alerts.

    Arctic Wolf tickets are sometimes created and updated faster than Microsoft Sentinel can write the data, which creates a race condition that can result in duplicate alerts. This rule helps reduce the odds of this occurring. The customer favors reducing delays over potential duplicate alerts and plans to add additional rules to further reduce instances of duplicate alerts.

For a sample analytic rule, see sample_sentinel_analytic_rule.txt.zip.

Automation for closing Arctic Wolf tickets

The customer also created an automation that closes the Arctic Wolf ticket when the Microsoft Defender or Microsoft Sentinel incident is closed. Microsoft Sentinel sometimes attempts to close the Arctic Wolf alert twice, but this doesn't have an impact on the result.

Deploy the ticket closure automation

  1. Create a Microsoft Sentinel automation rule.
    For example:

    Sample automation rule in Microsoft Sentinel

  2. Create workflows in the Azure Logic Apps.
    For example:

    Sample workflow in Azure Logic Apps

    Sample condition configuration in Azure Logic Apps