Skip to content

wagov/wasoc-honeytraps

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 

Repository files navigation

WA HoneyTraps Program

This site contains technical information to onboard to WA HoneyTraps program.

Table of Contents

  1. Onboarding Checklist

  2. Azure Logic App Deployment Guide

  3. Analytic Rules Deployment Guide

  4. Initiating an end-to-end test

  5. Feedback


Onboarding Checklist

Feedback

For questions or feedback, please contact [email protected]


Azure Logic App Deployment Guide

The following steps will guide you on utilising Azure ARM templates to deploy logic-app resource(s) to send canary alerts from the canary platform to the agency's Sentinel workspace.

Pre-requisites:

  • Requires an Azure Log Analytics Workspace (to ingest the data from Canary platform)
  • Required permissions to deploy the logic app and resources
  • A Canary group that has been provisioned by WASOC

Step by step guide

Step 1.

To start the deployment of the logic app to Azure, click on the Deploy to 'Azure button' shown below.

Deploy to Azure

Step 2.

You will be redirected to the custom deployment screen in azure portal. Select/ fill-in the required information.

Screenshot of the Custom Deployment page

Field description:

  1. Subscription: The subscriptions where the Logic apps will be deployed to
  2. Resource Group: The resource group where the Logic apps will be deployed to
  3. Log Analytics Workspace ID: The workspaceId of Sentinel log analytics workspace, where the canary/ canary-token logs will be send to
  4. Log Analytics Workspace Key: The primary key of the agent for Sentinel log analytics workspace, where the canary/ canary-token will be send to

Note: Do not replace or change the value in the 'Unique Key' field as this will be used to generate a unique key for the webhook header.

Reference:

Step 3.

Review and ensure all details provided in the deployment are correct and proceed with creating the resources. Otherwise, select the 'previous' button to go back and make any changes.

Screenshot of Review and Create page

Step 4.

Navigate to your resource group from the deployment details page, and select your deployed Logic App (containing the name that you provided in the Step 2).

Screenshot of Go to Resource Group Page

Your deployed Logic App under the Logic App designer, should look similar to the image shown below.

Screenshot of the deployed Logic App

Capture the following information from your Logic App deployment for setting up a webhook with the Canary platform.

Step 5.

  1. Select the 'manual' action on the Logic App.
  2. Copy/note down the value under the 'HTTP URL' section, as shown below.

Screenshot of the webhook URL

Step 6.

  1. Select the 'Condition' action from the Logic App.
  2. Copy/note down the 'key' value in the right side of the 'is equal to' condition. (This is a GUID that is unique to you and will be used in setting up the webhook with the Canary platform)

Screenshot of the Condition component of LA

Step 7.

Provide the two pieces of information collected in Step 5 and Step 6 to the WASOC team for completing the integration of the Canary platform with your Sentinel environment.

  1. Webhook URL from Step 5
  2. GUID value from Step 6

Analytic Rules Deployment Guide

The following steps will guide you on deploying analytic-rules to generate alerts and incident in your Microsoft Sentinel workspace.

Prerequisites

  • You must have set up send-canary-alert-webhook logic-apps prior to deploying the analytic rules
  • The analytic rule uses the following default table name: CanaryLogs_CL

Step by step guide

Step 1.

To start the deployment of the Azure Analytic Rules for each type of canary, click on the 'Deploy to Azure' buttons shown below.

Canary Tokens - Analytic Rules Deploy to Azure
Canary - Analytic Rules Deploy to Azure

Step 2.

Note: Please deploy each analytic rule template one at a time.

You will be redirected to the custom deployment screen in azure portal. Select/ fill-in the required information

Screenshot of Deployment page

Field description:

  1. Subscription: The subscriptions where the Sentinel workspace is located
  2. Resource Group: The resource group where the Sentinel workspace is located
  3. Region: The region where the Sentinel workspace is located
  4. Workspace Name: The workspaceName of Sentinel log analytics workspace, where the analytic rule will be deployed to
  5. Rule Id: Value to obtain a new Rule Id using the newGuid function in Azure
  6. Domain: The domain name for the canary platform, to be provided by WASOC.

Note: Do not replace or change the value in the 'Rule Id' field, this is to generate unique Id for your analytic rules.

Step 3.

Review and ensure all details provided in the deployment are correct and proceed with creating the resources. Otherwise, select the 'previous' button to go back and make any changes.

image

Step 4.

Navigate to Analytics blade inside the Microsoft Sentinel, and verify that the analytics rules has been created and enabled.

image

Step 5.

Initiate test to generate incident from the canary platform, and verify that incidents were generated in Microsoft Sentinel.

Initiating an end-to-end test

To initiate an end-to-end test the integration of the canary platform and the SIEM, you could do the following.

Pre-requisites

Step 1.

Create a new canary token within your canary group.

Step 2.

Trigger the canary token by interacting with it.

Step 3.

Navigate to your Log Analytics Workspace to check if any alerts have been ingested.

It may take up to 5 minutes for the alerts to ingest

If you have alerts being ingested into your Log Analytics Workspace, you have successfully completed your canary platform and SIEM integration.

Feedback

For questions or feedback, please contact [email protected]

About

Honey Technologies initiatives for the WASOC

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •