|
|
@@ -263,3 +263,30 @@ See the notes from '### Firstboot' above. The cockpit.service and socket have be
|
|
|
* Users should be added to the appropriate okta `threatq-*` group. Their accounts will be automatically provisioned.
|
|
|
* New users will have to manually set their email address.
|
|
|
* The chicklet from okta is only a bookmark. Users must click the 'log in via sso' button to sign in.
|
|
|
+
|
|
|
+## The Azure Sentinel Integration
|
|
|
+
|
|
|
+NOTE: The connector work in prod only. The connector will not function in test.
|
|
|
+
|
|
|
+Documentation for the integration is available [here](https://helpcenter.threatq.com/index.htm#t=Integration_Documentation%2Fguides%2FMicrosoft_Sentinel_Connector.htm)
|
|
|
+
|
|
|
+The salt state `threatquotient.azure` installs the two connectors (commercial and government) and initializes them. They then need to be configured via the web interface at Integrations->My Integrations, and search for 'Sentinel' (there should be two).
|
|
|
+
|
|
|
+The salt state also creates teh cron job.
|
|
|
+
|
|
|
+### Testing the Sentinel Integration
|
|
|
+
|
|
|
+You can run either connector manually:
|
|
|
+
|
|
|
+For commercial:
|
|
|
+```
|
|
|
+/opt/tqvenv/com/bin/tq-conn-ms-sentinel -v3 -c /etc/tq_labs/com/ -ll /var/log/tq_labs/com/ --name "Microsoft Sentinel"
|
|
|
+```
|
|
|
+
|
|
|
+For Government:
|
|
|
+```
|
|
|
+/opt/tqvenv/us/bin/tq-conn-ms-sentinel -v3 -c /etc/tq_labs/us/ -ll /var/log/tq_labs/us/ --name "Microsoft Sentinel - Government"
|
|
|
+```
|
|
|
+
|
|
|
+(tip: if it asks for the log file location, you forgot `sudo`!)
|
|
|
+
|
Fred Damstra [afs macbook]