The Rumble Network Discovery solution for Microsoft Sentinel is a network domain solution that enables organizations to enrich their hunting queries with a daily export of asset information, as well as receive alerts when new assets are discovered on the network or high value assets are modified.
The Rumble Network Discovery solution consists of the following resources:
- Data Connector, to ingest data into Microsoft Sentinel using the Log Analytics Data Collector API:
- An Azure Functions app using the PowerShell 7.0 runtime, including:
- A function with a timer trigger to fetch a daily export of asset information from the Rumble Organizations API (ingested into the RumbleAssets_CL table)
- A function with a HTTP trigger to capture alerts for new and modified assets from the Rumble console (ingested into the RumbleAlerts_CL table).
- A Key Vault, to securely store and retrieve secrets such as the Rumble Organization API key and Log Analytics workspace key. The Azure Functions app uses a system assigned managed identity to retrieve secrets using role-based access control rather than access policies.
- A Microsoft Sentinel data connector GUI, to monitor the connectivity status of the solution.
- An Azure Functions app using the PowerShell 7.0 runtime, including:
- Parsers, to filter and manipulate the raw data recieved from the Rumble API and rules engine (named RumbleAssets and RumbleAlerts respectively).
- Workbook, to monitor and provide insights into the Rumble asset information, such as:
- Most seen asset types, operating systems and hardware
- Most seen TCP/UDP ports, protocols and products
- An easily-searchable export of the Rumble asset information
- Hunting Queries, to investigate the environment:
- List all assets with exposed web interfaces using HTTP/S
- List all Windows assets that have not sent security event logs to Microsoft Sentinel in the last week
- Summarize all assets by exposed TCP/UDP ports
- Watchlist, containing a list of high value assets that should be monitored for unauthorized network changes.
- Analytic Rules, to alert security analysts when:
- New assets are discovered on the network
- High value assets have been modified at the network level (e.g. newly exposed services) using the aforementioned watchlist.
The deployment template for this solution was developed entirely Bicep, so you can re-use the resource declarations and other components in mainTemplate.bicep as a reference for your own Microsoft Sentinel solutions.
Note: The Rumble Network Discovery data connector uses Azure Functions to ingest asset information and alerts into Microsoft Sentinel, as well as Key Vault to securely store secrets, which may result in additional charges for your Azure subscription.
- Log in to the Rumble console
- Navigate to Organizations and select your organization
- Under API tokens, click Generate API Key and copy the token value
- In your Microsoft Sentinel instance, navigate to Settings > Workspace settings > Agents management
- Copy your Log Analytics workspace ID and primary key
- Make note of your Log Analytics workspace name
- Click the Deploy to Azure button below
- Select your desired Subscription, Resource Group and Location
- Enter the Rumble API key, Workspace name, Workspace ID and Workspace key
- Click Review + create
- Wait for the deployment to finish successfully
- Open your Azure Function app in the Azure Portal
- Navigate to Functions > Get-RumbleAlerts > Overview, click 'Get Function Url' and copy the URL. This is the webhook URL you will need to create a Rumble alert channel in Step 5.
- (Optional) By default, the Azure Functions data connector is configured to send an export of Rumble assets to Microsoft Sentinel daily at 12 PM UTC. If you wish to manually trigger an initial export to verify the connector is working as expected, navigate to Functions > Get-RumbleAssets > Code + Test and click 'Test/Run' > Run. You should see data populate in the RumbleAssets_CL table in Microsoft Sentinel within the next 15-20 minutes.
- Navigate to the Rumble Alerts > Channels page, and create a new webhook channel as follows:
- Name: Microsoft Sentinel
- Channel type: Webhook
- Webhook URL: <Copied from Step 4>
- Navigate to the Rumble Alerts > Templates page, and create a JSON alert template for 'new asset' events as follows:
- Name: New Assets Template
- Template type: JSON
- Body of message: <Contents of Rumble-MicrosoftSentinel/Data Connectors/newAssetTemplate.txt>
{ {{#rule.is_scan}} {{#scan}} "new": {{assets_new}}, "changed": {{assets_changed}}, {{/scan}} "new_assets": [ {{#report.new}} { "addresses": "{{addresses}}", "alive": "{{alive}}", "created_at": "{{created_at}}", "detected_by": "{{detected_by}}", "domains": "{{domains}}", "first_seen": "{{first_seen}}", "hw": "{{hw}}", "id": "{{id}}", "last_seen": "{{last_seen}}", "names": "{{names}}", "os": "{{os}}", "service_count": "{{service_count}}", "type": "{{type}}", "updated_at": "{{updated_at}}" }, {{/report.new}} ] {{/rule.is_scan}} } - Navigate to the Rumble Alerts > Rules page, and create a rule for 'new asset' events as follows:
- Name: New Assets Rule
- Event: new-assets-found
- Specify matching criteria for post-scan asset changes: "is greater than or equal to" & "1"
- Limit to organization: any
- Limit to site: any
- Action: Notify
- Notification channel: Microsoft Sentinel (as created previously)
- Notification template: New Assets Template (as created previously)
- Repeat Steps 2-3 to additionally create an asset template and associated rule for 'changed asset' events. Refer to Rumble-MicrosoftSentinel/Data Connectors/changedAssetTemplate.txt for the template body, and use the 'assets-changed' event when creating the rule.
- Rumble will now send alerts to Microsoft Sentinel via the Azure Functions data connector when a scan task discovers new or modified assets.
- Rumble will only send alerts regarding new or modified assets following a completed scan task. To automate this process, create a scheduled scan task that runs hourly by navigating to the Rumble Tasks > Overview page, and create a new scheduled scan that runs hourly.
- Verify data is populating in the RumbleAssets_CL and RumbleAlerts_CL tables and that the RumbleAssets and RumbleAlerts parsers are working as expected.
Note: It may take 15-20 minutes for data to be available in Log Analytics after enabling the data connector and triggering a function for the first time
- Navigate to the Analytics page in Microsoft Sentinel and enable the following rules:
- (Rumble) High value network asset changed
- (Rumble) New network assets discovered