WA SOC Overwatch is a live external passive monitoring service based on Shodan Monitor that the WA SOC Threat Intelligence Team uses to track for changes of key internet facing assets. The goal of this service is to detect for high risk and potential threats that are associated to the following Overwatch Factors and to share this threat intelligence to our customers:
Overwatch Factors
- verfied compromised or malware detected services
- unverfied compromised or malware detected services
- exposed databases
- iot services detection
- restricted ports detected
- uncommon ports detected
- vulnerable and unverfied services
- new service detected
- industrial control system detected
- internet scanner activity
- expired ssl certifciation detected
Azure Permissions
- Resource Group Owner
- Azure Sentinel Contributor
Files
As part of the beta the following files will be required.
| Steps | File | Description |
|---|---|---|
| Workflow | overwatch_workflow.json | The webhook logic app work flow template to pull WA SOC Overwatch detection into your Azure Tenant - This flow will proceed to push the detection into a MS Sentinel Workspace |
| Rules | sentinel_rule_v1.json | The pre-made Microsft Sentinel Rule that will trigger an incident based upon a new overwatch detected |
NOTE: This service is for WA SOC Customers only.
To get access to the WA SOC Overwatch service - Please fill in the following application form and we will provide a link with further details.
Once your onboarding application form has been approved and finalised. Proceed with the Installation Steps
-
Deploy the Workflow template to your Azure Tenant (Azure portal login required).
Easy Deploy
Click on the following Deploy to Azure buttom to deploy the cusom template.
Manual Deployment
-
Once the Template has been deployed, select the Basic Tab, and fill the following parameters to complete the deployment of the playbook.
| Parameters | Description |
|---|---|
| Resource Group | Select a Resource Group to host the logic app |
| Location | Select a Azure region to host the logic app |
| Playbook Name | The name of the Logic App Playbook -- Default Name: WASOCOverwatchWorkflow |
| Log Analytics Connection Name | The connection name of the permission field for connection the logic app to log analytics. -- Default Name: WASOCOverwatchConnection |
| Log Analytics Workspace ID | The workspace ID of the log analytic workspace connection. Further information found here |
| Log Analytics Workspace Key | The workspace key of the log analytic workspace connection. Further information found here |
| Authentication Key | The authentication key to prevent unauthorised ingest from webhook endpoint. |
- Once the parameters has been filled, proceed to Review + Create step for azure to verify the template, and once the verify is completed, then Create the finalise the Logic App Workflow.
To detect the WA SOC Overwatch events to Microsoft Sentinel. Deploy this Rule template using the guide to import rules.
NOTE: This step should be completed once a WA SOC Overwatch event has been initially ingested into the Log Analytics Workspace. Initial ingested data may take an hour or more to appear as a querable table.
For any inquires about the beta - Please foward your questions to [email protected]