Learn how to integrate Nightfall with Microsoft Sentinel.
Microsoft Sentinel is Microsoft's SIEM tool which is part of the Microsoft Azure suite. You can use Sentinel as a SIEM tool and send Nightfall alerts to this tool.
To ingest any data into Microsoft Sentinel, you must use a data connector. A Sentinel data connector is a data pipeline which transfers data (alerts, incidents, and so on) from a specific source to Sentinel. Microsoft provides many out of the box data connectors to ingest data into Sentinel.
To use Sentinel as a Webhook and send alerts from Nightfall to Sentinel, you must first configure Sentinel as a webhook. To configure sentinel as a webhook, you must create a custom connector in Sentinel, since there is no out of the box connector for Nightfall AI in Sentinel. Microsoft provides multiple ways in which you can create custom connectors. To learn more about how to create a custom connector, you can refer to this Microsoft documentation.
Once you create a custom connector in Sentinel, you must configure the Webhook endpoint in Nightfall.
Click Integrations in Nightfall.
Click Manage for the required integration.
Scroll down to the alerting section and click + Webhook.
Enter the Sentinel URL obtained in the #configure-sentinel-as-webhook section.
Click Test to verify the URL.
You must receive a message as shown in the following image.
Check your webhook if you received a POST message from Nightfall. If no POST message is generated, verify your Webhook URL and try again.
(Optional) Click Add Header to add authentication parameters.
Enter the authentication parameters (key value format) under the key and value columns, respectively.
Click the unlock icon to obfuscate the key value pair.
Click Save.
Once you configure Sentinel as a Webhook, Nightfall sends alert notifications to Sentinel. You can view these notifications in Sentinel. To learn more about how to view visual data in Sentinel, you can refer to this Microsoft documentation. To learn more querying logs using Microsoft's Kusto Query Language, refer to this Microsoft documentation.
Learn how to integrate Nightfall with a SIEM or push violations downstream to any alert drain, SOAR tool, BI tool, and more.
To integrate with a SIEM or push Nightfall alerts downstream, specify a webhook URL in your Nightfall console.
First, configure an incoming webhook in the tool you'd like to send Nightfall alerts into. For example, this could be Splunk, Sumo Logic, LogRhythm, Slack, PagerDuty, etc.
For LogRhythm integration, initialize the Webhook Beat by following these instructions.
This process will provide you with an HTTPS URL endpoint (as seen in step 4c). Copy this URL as you will use it to complete set up.
For Sumo Logic integration, configure an HTTP Logs and Metrics Source via the following instructions.
This process will provide you with a URL endpoint (as seen in step 10). Copy this URL as you will use it to complete set up.
For a Splunk integration, configure an HTTP Event Collector within Splunk via the following instructions.
This process will provide you with a URL endpoint (as seen in this step). Copy this URL as you will use it to complete set up.
To authenticate to the HTTP Event Collector, you may add an Authorization http header as described in the Splunk documentation with your HTTP Event Collector token.
Note that the Authorization HTTP header for HEC requires the "Splunk" keyword before the HEC token.
It is also possible to add your HEC Token as part of the query string of the Collector URL. This can be done for both Splunk Cloud as well as Enterprise.
If you are a Splunk Cloud customer, you will have to reach out to Splunk to enable the "allowQueryStringAuth" flag for your Splunk Cloud instance. This can be done by raising a Support Ticket with Splunk. This field can only be updated if on a Paid account. For a free/trial account, it will be unavailable.
For Splunk Enterprise, you will have to enable query string authentication for your instance, by following these steps:
Go to $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf file. Your tokens will appear by name in this file, in the form of http://<token_name>.
Within the stanza for each token you want to enable query string authentication, add or change the following setting:
Once the flag is enabled, please use the following steps to query the HEC Token within the URL String. For more information on Query string authentication from Splunk, please reference the docs here.
You can specify the HEC token as a query string in the URL that you specify in your queries to HEC. This can be done with the format shown below:
The following example shows a full Collector URL including a dummy HEC Token appended as a query string: (The example is for an Enterprise instance)
Note: We will be using the /services/collector/raw endpoint instead of the /services/collector/event endpoint. This is because of the JSON format that webhooks from Nightfall will carry, which will only be accepted with the raw version of the HTTP Event Collector endpoint.
For Splunk Cloud customers, the above example URL will look different including the public facing HEC URL. The endpoint (/services/collector/raw?token=12345678-1234-1234-1234-1234567890AB) should remain the same, however. Since you are on a Splunk Cloud instance, this URL should already be visible to the Nightfall console, and you would be able to start using this Webhook URL in the Nightfall console. Please continue with the steps after this section to complete webhook set up.
For Splunk Enterprise customers, there are a few extra steps to have the Splunk Collector exposed to the Nightfall webhook console below.
The next step will be exposing the local host and port of the Splunk collector an HTTP Listening tool. This can be done by using an ngrok tunnel or nginx server, for example This is required so that the Enterprise Splunk instance is accessible to Nightfall's webhook from the console. Please make sure that port 8088 (this is the default port for receiving data for HEC) is accessible by navigating to "Global settings" in your Splunk Enterprise instance and enabling it.
Steps for setting up a ngrok tunnel can be found here. If using a ngrok tunnel, the following command would generate a ngrok tunnel listening to the correct port and protocol for the collector:
./ngrok http https://localhost:8088
Once complete, the ngrok tunnel should show you an HTTPS Forwarding address, that can be used as the ngrok host in the following step. (HTTPS is required by Nightfall's webhook URL validation)
Your ngrok tunnel URL with your HEC auth token should now look something like this:
https://<NGROK_HOST>/services/collector/raw?token=<YOUR_HEC_TOKEN>
This will be your Webhook URL that you can use in the Nightfall console. Now you are all set to integrate alerts from your Nightfall webhook to your ngrok tunnel.
Next, configure the outgoing webhook in Nightfall. This webhook will fire in real-time upon a new event (e.g. a new violation is created).
Navigate to the integration for which you would be interested in setting up a webhook for alerts. Webhooks are available all native integrations.
Select the Settings tab on the top.
Select Change or Add next to the Webhook option.
Enter the URL to your webhook endpoint.
You may send a sample payload to the endpoint that you have entered to verify a successful connection using the Test button.
You may also add HTTP Headers to send authentication tokens or other content using the Add Headers button.
Once your header key and value is entered you may obfuscate it by clicking on the "lock" icon next to the value field for the header. Click the Save button to persist your changes to the headers.
When you have completed configuring your Webhook URL and Headers, click the Save button.
Going forward, you will now see events sent directly from Nightfall into your SIEM or other solution of choice.
When Nightfall sends a message to the configured Webhook, an event is always included in the message. Nightfall sends the following four types of events listed in the following table.
The following are examples of a sample payload for detection rules that were violated, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).
The following are examples of a sample payload for remediations/actions that were taken on the above mentioned Nightfall Events, that will be delivered to the webhook. These are examples from each integration, so the specific fields may vary based on the Nightfall product you are using (e.g. Slack, Github, Google Drive Jira, etc.).
| Event Name | Event Description |
|---|---|
exposure_update
An alert that triggers if there are new findings or if findings have been removed from the Nightfall Event.
resolution
An alert that triggers when the Nightfall Event is resolved.
violation
An alert that triggers when a new Nightfall Event is created.
remediation
An alert that is triggered when any remediation action (eg . Redact, delete) content is taken on the Nightfall Event.
