Sentinel
- You have to get the AIShield AI Security Monitoring App for Microsoft Sentinel from azure marketplace to get started with below steps.
Deploy AIShield - AI Security Monitoring for Microsoft Sentinel app to your Microsoft sentinel enabled log analytics workspace. Following component will be deployed with this installation.
- Data connector: Azure Sentinel enables you to use data connectors to configure connections with AIShield Product.
- Parser: Parser are built as user defined functions that transform data in existing table as the normalized schema.
- Analytics rules: Scheduled analytics rules are based on built-in queries written by AIShield team to create security alert/Incidents.
Please follow below steps for AIShield - AI Security Monitoring connector installation:
1. Go to the azure marketplace and search for AIShield - AI Security Monitoring App for Microsoft Sentinel and click on get it now.
2. It will redirect to the solution installation page and click on create button.
After clicking on create, it will show you detailed components and details.
Select the subscription and resource in which Log analytics workspace resides. After that review the details and click on create. It will deploy all the components into the sentinel enabled logs analytics workspace.
You will be able to see deployed component using following steps.
- Data Connector : Go to the data connector page and search for the AIShield you will be able to see data connector page
- Parser : Log analytics workspace -> go to function -> You will able to see parser
- Analytics rule : Microsoft analytics is where you set up rules to find issues with the AI
After setting up everything,you'll get two important codes from the AIShield data connector page in your Microsoft Sentinel workspace:
- customer ID (azure_log_customer_id)
- shared key (azure_log_shared_key)
You need to take these codes and put them into the AIShield Threat Informed Defense app.
Please go through the Readme.txt file provided by AIShield Threat Informed Endpoint Defense (EDR) and follow the below defense connector steps for setup.
You can download the defense artifact after your job runs successfully. The defense artifact will contain the defense model in .h5 and .onnx formats, one Python file, and a readme file describing the steps to follow to use it. Assuming you have already downloaded the artifact, you can follow the steps below to configure the defense with Azure Sentinel and Splunk Connector.
AIShield provided Threat Informed Defense Model zip folder contains the following files.
1. Defense Model Architecture image 2. Defense Model Classification Report image 3. Defense Model Confusion Matrix Image 4. Defense Model (h5 format) 5. defense_model (onxx format) 6. Predict.py 7. ReadMe.txt
Following steps describe the procedure to integrate and test AIShield provided Threat Informed Defense Model.
defense_model_path variable is used to store the file path or location on the local system where a defense model is expected to be found.
Parameters:
- azure_log_customer_id: Azure Object Id (Workspace Id) of your workspace to log event data.
- azure_log_shared_key: Primary Key of the Log Analytics workspace to log event data.
Load the necessary data and use AIShield provided attack data for testing the defense model.
Once AIShield provided Threat Informed Endpoint Defense (EDR) app sending logs to Microsoft sentinel you will be able to see logs using parser name or table name:L
AIShield or AIShield_CL
If you have any questions or need any help related to this integration. Please get in touch with [email protected]