Skip to main content

Installation

Overview

Learn how to install the ReversingLabs Content Pack for Microsoft Sentinel and get started with specially crafted Microsoft Sentinel resources to enrich your SOC experience.

Prerequisites

To use resources included with the ReversingLabs Content Pack, you should have valid credentials for either ReversingLabs Spectra Intelligence or a Spectra Analyze API token.

Did you know?

You can purchase a license for Spectra Intelligence enrichment APIs directly in the Azure Marketplace. Click here to view the details

Installation

To begin using the provided content, the solution must first be installed from the Microsoft Sentinel content hub.

The solution is made available in the Microsoft Sentinel content hub. The content hub is found under the “Content management” menu header in the Microsoft Sentinel resource blade:

In the search bar, enter "ReversingLabs", then click the "ReversingLabs Content Pack". Click Install to begin.

Playbook Setup

Several Microsoft Sentinel playbooks are included with the solution. These are available as deployable templates. After deploying a playbook, credentials will need to be configured to access ReversingLabs products.

Deploy a playbook template

To set up a playbook, first deploy the template from the content pack.

  1. From the content pack manager, select a playbook.
  2. Click the "configuration" button.

  1. Click "create playbook" to start the deployment

  2. Enter the following information in the deployment menu:

    • Subscription: this is the subscription where the target Microsoft Sentinel instance is located.
    • Resource group: this is the resource group where the target Microsoft Sentinel instance is located.
    • Playbook name: customize the playbook name, if necessary. We recommend leaving this as the default value.
    • Enable diagnostics logs in Log Analytics: this option enables diagnostics logs for the logic app, including events such as failures and runtime metrics. We recommend enabling this option. If this option is enabled, select a log analytics workspace from the dropdown.

  3. (Spectra Analyze playbooks) After filling in the settings, click “Next: Parameters” and enter a valid Spectra Analyze instance URL in the format https://<hostname>

  4. Click "Next: Connections" and either select existing Logic App connections or leave default to create a new connection.

  5. Click Create to finalize the deployment.

Authorize connectors

If this is the first time a ReversingLabs playbook has been deployed, API connections will need to be created for the associated Logic App connectors.

  1. Open the Logic App resource, then click "Logic App Designer"
  2. Click the "Errors" button to view the operations that required updating:

For details on setting up the Microsoft Sentinel connector, see the following documentation: https://learn.microsoft.com/azure/sentinel/automation/authenticate-playbooks-to-sentinel

Authorizing the Spectra Intelligence connector

To authorize the Spectra Intelligence connector, provide the following parameters:

  • Connection Name: a friendly name for the connection
  • Username: the username used to authenticate to Spectra Intelligence
  • Password: the password used to authenticate to Spectra Intelligence

Authorizing the Spectra Analyze connector

To authorize the Spectra Analyze connector, provide the following parameters:

  • Connection Name: a friendly name for the connection
  • Token: the API token used to authenticate to the Spectra Analyze API, in the format Token <your token value>
  • A1000 Host URL: the URL of the Spectra Analyze appliance, in the format https://<hostname>
warning

The API token MUST be in the following format: Token <your token value>

Workbook Setup

A workbook is included that helps to visualize value provided by threat intelligence feeds and automation with ReversingLabs.

Install the Workbook

  1. Navigate to the ReversingLabs content pack manager

  2. Select the checkbox next to "ReversingLabs-CapabilitiesOverview", then click "Configuration"

  1. In the next page, click "save", select a region, then save again

  1. Once the workbook is saved, click "View saved workbook"

Configure the workbook

The workbook must be configured to point to a valid Azure subscription and Microsoft Sentinel workspace.

  1. Click the “Subscription” parameter bubble, then select the subscription containing the Microsoft Sentinel workspace.
  2. Click the “Workspace” parameter bubble and select the target Microsoft Sentinel workspace.
  3. The workbook should automatically refresh and show data if available.
  4. Click the “Save” icon to save the workbook with these updated settings; the workbook has now been fully deployed.

Enable quota usage metrics

For Spectra Intelligence (formerly TitaniumCloud) users with a valid license or users that have subscribed to the Azure Marketplace offer ReversingLabs File Enrichment APIs, the workbook can be configured to monitor API quotas and view API usage.

Ensure that this playbook has been deployed before proceeding.

  1. Click the “API Usage” tab.
  2. Copy the ArmAction path of the playbook using the format below
  3. Replace the highlighted values with an Azure subscription ID and resource group name:
/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.Logic/workflows/ReversingLabs-CheckQuota/triggers/manual/run?api-version=2016-06-01
  1. With the path copied, click the “edit” button in the workbook menu, then click the advanced editor button:

  1. In the advanced editor, press Control + F on the keyboard to open the search prompt. Enter the ID: b9059e5f-55bb-4e6d-9745-f7fe6497824d
  2. There will be two ArmAction objects with empty path items as shown below. Paste the ArmAction path previously mentioned here:

  1. Save the workbook to finalize the configuration.

Checking connectivity and API usage

After completing the workbook configuration, it is recommended to test connectivity.

  1. Click the "API Usage" tab in the workbook.
  2. Click the "Check quotas" button.
  3. An ARM action blade will slide out from the right side of the screen. Click the "Run ARM action" button to continue.

  1. After a few minutes, click the workbook refresh button to reload the workbook.

  2. The workbook panel should automatically update and present the following information:

    • Timestamp: UTC timestamp of the last ReversingLabs-CheckQuota playbook run
    • Connection status: shows 'connected' for successful connection to the Spectra Analyze API or 'error'
    • API User: the TitaniumCloud user configured in the ReversingLabs-CheckQuota playbook

Upgrading

The Microsoft Sentinel Content Hub will indicate when a new version is available for installation. To upgrade, select the solution and click the "Actions" button, and then "Update".

Note that upgrades to the solution will only update the deployment templates and not any resources previously deployed.