Microsoft Sentinel integration in NordPass

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automated Response (SOAR) solution designed to provide intelligent security analytics and threat intelligence across an organization.

NordPass for Microsoft Sentinel benefits

With NordPass integration, Business clients can seamlessly send Activity Logs data to Microsoft Sentinel, allowing them to:

• Monitor real-time user actions.
• Detect potential security risks.
• Leverage Sentinel's advanced analytics and automation capabilities.
• Strengthen digital security management within the organization.
• Enhance security visibility and streamline incident response.

NordPass integration with Microsoft Sentinel

Before integrating NordPass with Microsoft Sentinel, complete the following steps:

1. Ensure that the resource group and the Log Analytics workspace are created and located in the same region so you can deploy the Azure Functions:
   
   
   
   
   
   
2. Add Microsoft Sentinel to the created Log Analytics workspace:
   
   
   
   
3. The Log Analytics workspace and Azure Functions require permission to read and write.
   
   
4. To finish the Azure Functions integration, generate a Microsoft Sentinel API URL and token in the NordPass Admin Panel. You will need the NordPass Enterprise account to do so.
   
   
5. Once the setup is complete, activity log data will be fetched into Microsoft Sentinel every 60 seconds. NordPass activity logs for the last 7 days will be fetched with the first connection. After that, only records generated in the set interval for the script will be fetched. 

Deploy integration

To deploy NordPass for Microsoft Sentinel integration, follow these steps:

1. On the Microsoft marketplace, locate the available integration - NordPass for Microsoft Sentinel:
   
   
   
   
2. Select the create button:
   
   
   
   
3. Next, follow the steps in the installation deployment process:
   
   • Select the created Resource group and Workspace dedicated to NordPass integration.
   • Review the integration details and proceed to create the integration.
     
     
     
     
4. Once the Integration deployment is completed, go to the Microsoft Sentinel workspace and find the NordPass for Microsoft Sentinel option under the Content Hub section:
   
   
   
   
5. Then, start setting up the integration.

Setting up the integration

Data connector

You must install this data connector for NordPass to connect to NordPass Activity Log data with Microsoft Sentinel and receive it periodically by following these steps:

1. Go to the Microsoft Sentinel Content hub and search for NordPass. Select it and press the manage button:
   
   
   
   
2. Next, select NordPass with data connection as a content type, and press the open connection page button:
   
   
   
   
3. After reviewing the prerequisites and ensuring they are completed, press the deploy to Azure button:
   
   
   
   
4. Provide the Resource Group, Workspace name created on Microsoft Azure, and API details(API_URL and token) created on NordPass Business Admin Panel.
   
   
5. Proceed with Azure Function deployment by selecting the review and create, and then the create button:
   
   
   
   
   
   
6. Once the Azure Function deployment is completed and the first data sync is successful, it is indicated under the dedicated Microsoft Sentinel workspace's data connectors section:
   
   
   
   Note: This connector uses Azure Functions to retrieve Activity Logs from NordPass to Microsoft Sentinel. This may result in additional data ingestion costs. For more information, refer to the Azure Functions pricing page.

Analytic Rules

With the NordPass integration, you'll receive several preset analytic rule templates. Make sure to activate relevant rules individually by following these steps:

1. Go to the Content Hub of installed NordPass Integration, select the relevant Analytics rule you want to enable, and press the create rule button:
   
   
   
   
2. Update the Analytics rule parameters and finish the setup by selecting the save button in the review + create section:
   
   
   
   
3. Once the Analytics rule is successfully enabled, it will be displayed under the dedicated Microsoft Sentinel workspace's analytics section as enabled. 
   
   
4. Repeat the same steps for every Analytics rule applicable to your use case.

Workbook

With the workbook, you can easily access detailed information from the NordPass Activity Log, such as vault activity, all login attempts, and audit reports. To manually activate, as it isn't activated automatically, the workbook follow these steps:

1. On the Content Hub of the installed NordPass Integration, select the NordPass Workbook option and click the configuration option on the lower left:
   
   
   
   
2. After pressing the save button on the lower-left side, select a location and the yes button.
   
   
   
   
   
   
3. Once the NordPass Workbook is successfully saved, it is available under the dedicated Microsoft Sentinel workspace's workbooks section:
   
   
   
   
4. To review the Workbook details, select the view saved workbook button:
   
   

Update the token on the integration

If the token was revoked or expired, follow the steps below to update the token on the integration.

Option 1 

Log in to Microsoft Sentinel and redeploy NordPass Data Connector as per the description in the Data connector. Once the Data connection re-deployment is finished, the data sync will use the newly provided API details.

This option can also be used to update data center details if necessary. 

Option 2 

1. Open the Resource group that was used for NordPass integration deployment, and locate and open the NordPass Function app:
   
   
   
   
2. Under the settings, in the environment variables section, search for NordPass.
   
   
3. For any of the variables you want to update, select the name field (NORDPASS_ENDPOINT_URL, NORDPASS_TOKEN), which will open it in edit mode:
   
   
   
   
4. Update the value details and select the apply button:
   
   
   
   
5. Next, confirm the Environment variable setting in the app settings section by selecting the apply button.
   
   
   
   
6. Afterward, confirm the changes by pressing the confirm button:
   
   

Workbook explanations

NordPass Admin Panel activity

The administrative actions dashboard displays information on the actions of Organization Owners and Administrators in the Business Admin Panel. Here, you will also be able to see the following dashboards:

1. Actions: this visualization showcases the actions performed in the NordPass Business Admin Panel by users with MSP Admin, Owner, and Admin rights.
   
   
2. Actions count by user: this visualization lists all users who took action in the NordPass Business Admin Panel and indicates the number of actions performed.

NordPass Vault activity

This item actions dashboard provides information about the Organization user's actions in the NordPass application. Here, you will be able to see the following dashboards:

1. Item actions: this visualization lists all actions and the number of actions performed by the employees in the NordPass application.
   
   
2. Item actions by platform: this visualization shows the number of actions performed in the NordPass application on a defined platform. 

NordPass Logins & Vault Access

The login actions dashboard provides information about the Organization employees' login to NordPass and Vault unlock actions by the users. Here, you will be able to see the following dashboards:

1. Login access: this visualization showcases when your NordPass users log in to the NordPass Business account, validate the Master Password to unlock NordPass, or use SSO authentication.
   
   
2. By platform: this visualization lists platforms where Organization employees validate their master passwords and where they are accessing the NordPass application.