Skip to main content
Skip table of contents

Microsoft Sentinel Actions

Actions for Microsoft Sentinel

  • Send Data. Sends a custom set of Lucidum data to Microsoft Sentinel.

Use Cases

Below are the possible use cases for the Send Data action:

  • If you want to run Lucidum “headless”, you can send relevant data to Microsoft Sentinel on a regular schedule.

  • You can send data to Microsoft Sentinel playbooks for remediation.

Prerequisites

To configure an action for Microsoft Sentinel, you must first collect the following information:

  • Workspace ID

  • Primary Key

  • Secondary Key

To do this:

  1. Log in to the Azure Portal.

  2. Navigate to the Log Analytics workspace (also called the Microsoft Sentinel workspace) where you store logs for Microsoft Sentinel. For more details, see https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview

  3. Go to Settings > Agents.

  4. Copy the Workspace ID, Primary Key, and Secondary Key.

Workflow

To create an action in Lucidum, follow these steps:

  1. Choose Action Center from the left pane.

  2. In the Action Center, choose from the action types in the Channels pane.

  3. To create a configuration for the action, click the Manage Configuration button. A configuration provides the connection and authorization information to communicate with the external solution.

  4. Save the configuration.

  5. To create an action, click the Create a new action button. An action specifies the task to execute, the data to include in the action, and how frequently to execute the action.

  6. Save the action.

  7. Lucidum automatically executes the action at the time and recurrence you defined in the action.

You can apply an existing configuration to more than one action. If a configuration already exists, you might be able to re-use the existing configuration and might not need to create a new one.

Microsoft Sentinel Configuration

  • Configuration Name. Identifier for the Configuration. This name will appear in the Lucidum Action Center.

  • Workspace ID. The unique identifier for the workspace in Sentinel. The Lucidum data is sent to this workspace.

  • Shared Key. The primary or secondary shared key for the account on Sentinel. This key is generated by Azure.

  • Maximum number of records per Payload. Specify the number of records to send to Sentinel in each action.

Create a new action/View Action

  • Action Type. This field is pre-populated with Send Data.

  • Configuration Name. Select an action configuration from the pulldown options.

  • Action Name. Identifier for the action. This name will appear in the Lucidum Action Center.

  • Description. Description of the action.

  • Filters. For new actions, the Add Filter button leads to the New Query page, where you can query for the assets or user records that you want to send to Sentinel. For existing actions, this field displays the query for this action. The Edit Filter button leads to the New Query page, with the current query already loaded for editing. For details on creating and editing queries in Lucidum, the section on Building Queries.

  • Schedule Settings. Define the schedule for the action. Choices are setting a Recurrence by date and time or After Data Ingestion, which happens at least once every 24 hours and can also be triggered manually.

  • Do not trigger the action unless. Specify the number of results from Filters as a prerequisite for executing the action.

  • Output Fields. For the records selected with the Filters field, specify the columns to include in the payload to send to Sentinel. When creating or editing the query, you can select these fields in the Query Results page > Edit Column button.

  • Sentinel Workspace Target Table Name. Name of the table in the Sentinel workspace where you want to store Lucidum data.

  • Dedup previous jobs. In this field, you specify whether you want duplicates of asset IDs (if your query is for assets) or user IDs (if your query is for users). You can specify integers between 0 and the number specified in Settings > System Settings > General > Data Settings > Action Result Retention in Days. This setting specifies the number of days that Lucidum stores action results.

    • If you specify “0” (zero), Lucidum includes all the records from the query in each execution of the action.

    • If you specify “1” (one), Lucidum examines the previous webhook payload and excludes records for asset IDs or user IDs that were sent in the payload of the last execution of the action.

    • If you specify “2” (two), Lucidum examines the last two webhook payloads and excludes records for asset IDs or user IDs that were sent in the payloads from the previous two executions of the action.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close