SIEM solutions aggregate event data from security devices, network infrastructure, systems, and applications. While the primary data source for a SIEM is log data, it can also process other forms of data. Microsoft’s Azure Logic Apps is a cloud-based platform for creating and running automated workflows that integrate apps, data, services, and systems. The Logic App for Lansweeper seamlessly connects Sentinel with Lansweeper. Users can receive enriched alerts and contextualized IT asset data automatically to simplify and enhance threat hunting, event investigation, and incident response.
Using the information from Lansweeper, Sentinel users can develop playbooks for executing a defined set of remediation actions in response to alerts and incidents. Most of these alerts and incidents conform to recurring patterns, and playbooks help to orchestrate and accelerate threat response for rapid resolution, reducing risk while lightening the load on security teams. If a machine is compromised, Sentinel users can leverage Lansweeper data to identify, locate and isolate the machine and automatically block the account until the SOC team can analyze the issue.
Playbooks not only enhance security but also eliminate manual tasks that can drive up costs. By Microsoft’s estimate, Sentinel users can improve security while reducing costs by as much as 48% compared to traditional SIEMs. By leveraging the Logic App for Lansweeper, they can further reduce overhead by eliminating manual work associated with enriching alerts and taking action to remediate threats.
Key Integration Features
This integration implements the investigative actions for the Lansweeper app on the MS Sentinel Platform. It will allow end-users to implement any use cases on the Lansweeper Platform that are possible using a combination of the below-mentioned actions.
Authentication: Create a Logic app with a custom connector. Authenticate the connection with Lansweeper APIs using the Outh2 from the Logic app. Use the refresh token API link to generate the new token.
List Authorized Sites: Retrieve the list of the authorized sites.
Hunt IP: Get the asset details from the Lansweeper platform for the given Site ID and IP address.
Hunt Mac: Get the asset details from the Lansweeper platform for the given Site ID and MAC address.
Microsoft Sentinel also possesses SOAR capabilities. Microsoft Sentinel, in addition to being a Security Information and Event Management (SIEM) system, is also a platform for Security Orchestration, Automation, and Response (SOAR). One of its primary purposes is to automate any recurring and predictable enrichment, response, and remediation tasks that are the responsibility of your Security Operations Center and personnel (SOC/SecOps), freeing up time and resources for more in-depth investigation of, and hunting for advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response, to playbooks that run predetermined sequences of actions to provide powerful and flexible advanced automation to your threat response tasks. The goal of building the Lansweeper Sentinel Integration is to allow the SOC team to leverage the Lansweeper capabilities and allow it to be automated via the Microsoft Logic App. This will help our customers to get the below-mentioned capabilities.
List Authorized Sites – Provide the details of the authorized sites.Hunt IP – Provide the asset details from the Lansweeper platform for the given Site ID and IP address.
Hunt MAC – Provide the asset details from the Lansweeper platform for the given Site ID and MAC address.
