Derdack SIGNL4

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Connectors Index

Attribute Value
Connector ID DerdackSIGNL4
Publisher Derdack
Used in Solutions SIGNL4
Collection Method REST Pull API
Connector Definition Files DerdackSIGNL4.json
Ingestion API HTTP Data Collector APIConnector definition requires workspace key (SharedKey pattern)
Custom Log V1 Tables Yes 🔶 — ingests into tables with type-suffixed columns

When critical systems fail or security incidents happen, SIGNL4 bridges the ‘last mile’ to your staff, engineers, IT admins and workers in the field. It adds real-time mobile alerting to your services, systems, and processes in no time. SIGNL4 notifies through persistent mobile push, SMS text and voice calls with acknowledgement, tracking and escalation. Integrated duty and shift scheduling ensure the right people are alerted at the right time.

Learn more >

Tables Ingested

This connector ingests data into the following tables:

Table Transformations Ingestion API Lake-Only
SIGNL4_CL 🔶 ? ?
SecurityIncident ?

💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.

Permissions

Resource Provider Permissions: - Workspace (Workspace): read and write permissions are required. - Keys (Workspace): read permissions to shared keys for the workspace are required. See the documentation to learn more about workspace keys.

Setup Instructions

⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.

NOTE: This data connector is mainly configured on the SIGNL4 side. You can find a description video here: Integrate SIGNL4 with Microsoft Sentinel.

SIGNL4 Connector: The SIGNL4 connector for Microsoft Sentinel, Azure Security Center and other Azure Graph Security API providers provides seamless 2-way integration with your Azure Security solutions. Once added to your SIGNL4 team, the connector will read security alerts from Azure Graph Security API and fully automatically and trigger alert notifications to your team members on duty. It will also synchronize the alert status from SIGNL4 to Graph Security API, so that if alerts are acknowledged or closed, this status is also updated on the according Azure Graph Security API alert or the corresponding security provider. As mentioned, the connector mainly uses Azure Graph Security API, but for some security providers, such as Microsoft Sentinel, it also uses dedicated REST APIs from according Azure solutions.

1. Microsoft Sentinel Features

Microsoft Sentinel is a cloud native SIEM solution from Microsoft and a security alert provider in Azure Graph Security API. However, the level of alert details available with the Graph Security API is limited for Microsoft Sentinel. The connector can therefore augment alerts with further details (insights rule search results), from the underlying Microsoft Sentinel Log Analytics workspace. To be able to do that, the connector communicates with Azure Log Analytics REST API and needs according permissions (see below). Furthermore, the app can also update the status of Microsoft Sentinel incidents, when all related security alerts are e.g. in progress or resolved. In order to be able to do that, the connector needs to be a member of the 'Microsoft Sentinel Contributors' group in your Azure Subscription. Automated deployment in Azure The credentials required to access the beforementioned APIs, are generated by a small PowerShell script that you can download below. The script performs the following tasks for you: - Logs you on to your Azure Subscription (please login with an administrator account) - Creates a new enterprise application for this connector in your Azure AD, also referred to as service principal - Creates a new role in your Azure IAM that grants read/query permission to only Azure Log Analytics workspaces. - Joins the enterprise application to that user role - Joins the enterprise application to the 'Microsoft Sentinel Contributors' role - Outputs some data that you need to configure app (see below)

2. Deployment procedure

  1. Download the PowerShell deployment script from here.
  2. Review the script and the roles and permission scopes it deploys for the new app registration. If you don't want to use the connector with Microsoft Sentinel, you could remove all role creation and role assignment code and only use it to create the app registration (SPN) in your Azure Active Directory.
  3. Run the script. At the end it outputs information that you need to enter in the connector app configuration.
  4. In Azure AD, click on 'App Registrations'. Find the app with the name 'SIGNL4AzureSecurity' and open its details
  5. On the left menu blade click 'API Permissions'. Then click 'Add a permission'.
  6. On the blade that loads, under 'Microsoft APIs' click on the 'Microsoft Graph' tile, then click 'App permission'.
  7. In the table that is displayed expand 'SecurityEvents' and check 'SecurityEvents.Read.All' and 'SecurityEvents.ReadWrite.All'.
  8. Click 'Add permissions'.

3. Configuring the SIGNL4 connector app

Finally, enter the IDs, that the script has outputted in the connector configuration: - Azure Tenant ID - Azure Subscription ID - Client ID (of the enterprise application) - Client Secret (of the enterprise application) Once the app is enabled, it will start reading your Azure Graph Security API alerts.

NOTE: It will initially only read the alerts that have occurred within the last 24 hours. - Workspace ID: WorkspaceId Note: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Connectors Index