Skip to main content
All CollectionsCyber ResiliencyThird Party SIEM tool integrations
Druva app for Microsoft Sentinel
Druva app for Microsoft Sentinel
Updated yesterday

Overview

Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) solution that delivers an intelligent and comprehensive solution for SIEM and security orchestration, automation, and response (SOAR). It provides cyber threat detection, investigation, response, and proactive hunting with a bird-eye view across the enterprise.

Druva has published the following app on the Microsoft Azure marketplace:

  • Druva Integration with Sentinel

This app contains

  • Druva Data Connectors to ingest Druva events in Microsoft Sentinel

  • Druva Playbooks in Microsoft Sentinel to automate quarantine actions

📝 Note

By default, the app contains one Data Connector and five playbooks.

Installing Druva App for MS Sentinel

The installation of the Druva App for MS Sentinel involves three simple steps:

  1. Search and discover the Druva app on the Azure Marketplace.

  2. Click Get it now to add Druva App to your Azure tenant.

  3. Create a Project in the app. On the Project details page, enter the following details:

    1. Select the Subscription as per your requirement for your Azure Sentinel workspace.

    2. Select the Resource group name from the available options or create a new one.

    3. Select the Workspace name for log analytics.

Configuring Druva Data Connectors in MS Sentinel

Before you begin configuring Data Connectors, ensure the following prerequisites are met:

Prerequisites

  • Keep your Druva API client credentials ready. To learn more about how to create and manage Druva API Client credentials, see Create and Manage API Credentials

  • Have the Log Analytics Workspace created on the Azure portal to collect data from all your resources. To learn more about how to create a Log Analytics Workspace, see Create a Log Analytics workspace.

  • If you have inSync Workloads, you must enable inSync events from Druva Console to view inSync Events. For more informaton, see Configure inSync to export events.

Procedure

To configure Druva Data Connectors in Sentinel, perform the following steps:

  1. On the Microsoft Azure portal, navigate to Microsoft Sentinel.

  2. Click on the required Workspace > Configuration > Data Connectors. The Druva Events Connector is displayed.

    If not displayed, click refresh icon on the Data Connectors page to view the Druva Events Connector.

  3. Click the ellipsis (...) icon to view the Druva Events Connector page in its extended form, and then click Open Connector page.

  4. Provide the following details and click Connect to establish a connection with Druva Events Connector.

    1. Hostname: Enter the details as follows:

      1. For Public Cloud (Default): apis.druva.com

      2. For GoV Cloud: govcloudapis.druva.com

    2. ClientID and Client Secret: Enter the Druva API credentials that you generated, as mentioned in the prerequisite section of this article.

  5. After a successful connection, you can view the records on the log analytics page which displays a table with the following details:

    1. DruvaSecurityEvents_CL: Shows the events captured for Druva Security APIs

    2. DruvaPlatformEvents_CL: Shows the events captured for Platform APIs

    3. DruvaInsyncEvents_CL: Shows the events captured for Druva inSync APIs

    You can also view the ingestion graph on the Connector page.

    Druva Events Connector and Graph:

Druva Security Events:

Druva Platform Events:

Druva Insync Events:

Supported Druva Workload events

Refer to the following for the supported event type for different workloads:

Configuring Playbooks for Druva App for MS Sentinel

Before you begin configuring Playbooks, ensure the following prerequisites are met:

Prerequisites

  • Ensure that you have an Accelerated Ransomware Recovery license enabled.

  • Keep your Druva API client credentials ready. To learn more about how to create and manage Druva API Client credentials, see Create and Manage API Credentials

  • Keep the Key Vault created and store the Druva API Credentials in Azure Key Vault Secrets

    • Create a Key Vault: To create a Key Vault, do the following:

      • On the Microsoft Azure portal, navigate to Home > Key Vaults >Basics tab. Enter the Instance Details. For the Key Vault Name field, enter Druva-ClientCredential. The Region and Pricing fields are auto-populated. You can change it as you need it. Click Review + Create to save the changes.

    • Store the Druva API Credentials in Azure Key Vault Secrets:

      • On the Microsoft Azure portal, navigate to Home > Key Vaults > ClientCredentials > Objects > Secrets.

      • On the ClientCredentials > Secret page, click the plus icon Generate/Import and add Druva-ClientID and Druva-ClientSecret for storing client_id and client_secret respectively.

Procedure to deploy playbooks

Once you have completed the prerequisites, perform the following steps to deploy Druva playbooks in Sentinel:

  1. On the Microsoft Azure portal, navigate to Sentinel.

  2. On the Sentinel page that appears, navigate to the Automation > Templates section. All the available Druva Playbook templates are displayed. Click Create Playbook on any of the templates as per your requirement.

  3. On the Create playbook > Basics page, specify a name for the playbook and click Next.

  4. On the Create playbook > Parameters page, specify the Keyvaultname that contains the stored Druva-ClientID and Druva-ClientSecret. Click Next.

  5. On the Create playbook > Connections page, click Next.

  6. On the Create playbook > Review and Create page, review the details and click Create Playbook.

  7. To run the playbook in the Gov Cloud region, open the playbook in the Parameters section and update the API Host as follows:

    1. For Gov Cloud: https://govcloudapis.druva.com

      The default is set to the Public Cloud API Host: https://apis.druva.com

  8. Once the deployment is complete, authorize each connection. To authorize the connection, do the following:

    1. Login to the Microsoft Azure portal and in the search box type API Connections.

    2. On the API Connections page, search and verify if your created API connection exists. For example, Druva-KeyVault-Connection. Also, ensure that the Status of the API Connection is Ready.

  9. Grant permissions- Ensure that this playbook and your user have the IAM role permission assigned as Key Vault Secrets User.

  10. Validate the deployment.

    1. Verify if the resources (e.g. Key Vault, API connections, Logic Apps) are created successfully.

    2. Check the deployment logs for any errors and fix them.

Running the playbooks manually

To run a playbook manually, perform the following steps:

  1. On the Microsoft Azure portal, navigate to the playbook and select Run with payload option from the dropdown. The Run with payload pop-up appears.

  2. On the Run with payload pop-up, navigate to the Body section and paste the json obtained from the README.md file with respective edited values according to your resources. The Readme for specific Druva supported workloads can be obtained from Supported Druva features for playbooks.

  3. Click Run.

    To verify the status of the playbook run, navigate to the respective playbook home page and check the run history to view details - Successful or Failed.

Supported Druva features for playbooks

❗DISCLAIMER:

Microsoft and Microsoft Sentinel are trademarks of the Microsoft group of companies.

Related Articles
Provision users instantly from Microsoft Azure Active Directory to inSync using Druva SCIM app
Prerequisites to back up SaaS Apps data
Microsoft 365 authorization error occurs when reconfiguring Microsoft 365 app
User with missing membership type in Azure AD do not get imported to Druva inSync via Azure AD Group Mapping
How to Resolve "Provisioning has been quarantined" Error for Druva inSync SCIM Application
Did this answer your question?