In this article:
If you use Microsoft Sentinel, you can use this integration to create logs in in Sentinel with data from Scorecard scores, factor scores, and issues for your organization and Portfolios. The integration also inserts three carefully curated dashboards into a Sentinel Workbook.
Set up the integration
Before you start setup, make sure you have the following:
- A Microsoft Azure instance with:
- A subscription
- A Resource Group
- A Log Analytics workspace
- A Sentinel instance
- A SecurityScorecard API token to enable Sentinel to communicate with SecurityScorecard. Learn how to create a token.
To set up the integration, take the following steps:
- Install the SecurityScorecard Ratings for Microsoft Sentinel Azure application.
- Add three Data Connectors to a Sentinel instance.
- Save a workbook in the Sentinel instance.
Step 1: Install the Azure application
- After logging into your Microsoft Azure instance, enter SecurityScorecard in the top search bar.
- Filter by the Marketplace tag and select SecurityScorecard Ratings for Microsoft Sentinel.
- In the application overview, click Create.
- Select the subscription, resource group, and workspace for installing the integration, and complete the creation process.
Note: The workspace name is the same as the Sentinel instance name.
A completion message appears.
Step 2: Add data connectors
- In your chosen Sentinel instance, select Data connectors. from the left menu.
- Select SecurityScorecard Cybersecurity Ratings, and click Open connector page.
- Copy the workspace ID and the primary key. Then click Deploy to Azure.
- Provide the information needed for the deployment:
- Paste in the workspace ID and the primary key (workspace key) that you copied from the connector page.
- Paste in the the SecurityScorecard key (API token) that you created.
- Enter https://api.securityscorecard.io as the base URL.
- Enter the domain for your organization’s Scorecard.
- Enter a comma-separated list of SecurityScorecard Portfolio IDs.
- Set a daily ratings schedule.
For example the expression 0 0 2 * * * includes seconds.
- Leave default settings for other fields.
- Complete the creation of the data connector.
Set up the other two data connectors the same way. All three connectors are necessary for operating the integration workbook.
Step 3: Add the workbook
- Open the Sentinel instance and select Workbooks from the left menu.
- Locate the SecurityScorecard workbook and scroll down in the panel on the right to select View saved workbook.
- Update the placeholder domain with your own and save it. Then click Refresh.
The information for your Scorecard domain appears.
- Click Vendor Scores, and click Refresh to see the information for your domain in that tab.
- Click Save on the top menu.
The workbook updates and retains your domain..
Start using the integration
Query the logs
This integration creates one table with each data connector, classified as Custom Logs. To view and query these logs:
- Inside the Sentinel instance, select Logs from the left menu.
- Close any pop-up dialogs.
- Use Azure’s Kusto Query Language to query the individual tables, as with the following example screenshots.
Note: These tables are named according to the parameters you provided during the Data Connector setup.
Use the workbook
Note: You must set up all three data connectors to use the workbook that is provided with this integration.
This workbook incudes six dashboards:
- My Scorecard - An overview of your organization's Scorecard
- Vendor Scores - An overview of scores for vendors and partners whom you follow
- Active Issues - An overview of currently unresolved issues across your Portfolio
- Issues per Vendor (CVE) - A filtered version of the Active Issues dashboard focused on common vulnerability enumerations (CVEs)
- Issue per Vendor (Ransomware) -
- A filtered version of the Active Issues dashboard focused on Ransomware events
- Spotlight - A set of important and notable insights
See the following examples:
See the listing for the Sentinel integration in Azure Marketplace.
If you need help or have questions about the integration, submit a Support request.