A colleague of mine, Sonia Cuff, put together an interesting blog post recently that talks about how to integrate Azure Monitor with LIFX lighting devices. See: How to display Azure Monitor alerts with smart lights and no code.
That article really got my creative juices flowing. I’ve since ordered one of the LIFX light bulbs and plan to do something similar to what Sonia has done but for Azure Sentinel operations. Essentially, the idea is that the color will turn red when a High severity incident rolls through. Or, it will stay green as an all clear indicator. Or, maybe the hue will slowly progress from red to green as the SOC team is able to work through the day’s most critical Incidents. I’ll be working on this and putting something together in the near future, so stay tuned for that.
However, while I wait, I thought maybe there’s some additional but different capability I could work on in the interim. AND, considering that this year’s Azure Sentinel Hackathon is now in full swing, what better time to get creative. Did you see that first place is a $10,000 USD cash prize???
OK, so this is one is a simple one, but I think could provide some capability to bring SOC operations into the real world and possibly spur the creative juices for others.
To make this simple, I chose to utilize Amazon’s Blueprint capability instead of digging deep into the Alexa API. I plan to take this further with the API, but that will take some extra time.
Amazon’s Blueprint site, has a number of templates that allow anyone to create an Alexa skill. I’ve used these before to deliver news about conferences and events, so this fits perfect for what I want to accomplish. And, its literally a 2-3 step process that only requires me to enter some information.
The Blueprint template to use for this is the “Flash Briefing.” If you’re not familiar with the Alexa Flash Briefing, its a configurable, daily report of the news items that interest you.
In using this specific template, I can add an RSS feed from my blog based on a specific Tag. In my case, I have a tag called “Alexa.” When you apply tags, WordPress generates a specific RSS feed for that tag, so that’s the specific RSS feed I use and that’s where I want to post new information about Azure Sentinel Incidents that are generated overnight. That ensures Alexa is not capturing all my blog posts and just the ones I’ve pinpointed.
But, now I have to supply the information that Alexa will read back to me each morning as part of my Daily Briefing. Fortunately, Logic Apps has a connector for WordPress, so I can query my Azure Sentinel environment for the Incidents generated in the last 24 hours and send the information to a blog post where Alexa can pick it up from the updated RSS feed and read it back to me.
As shown in the image below, there’s only three components to this.
- Run the Logic App on a schedule (Recurrence). Mine is set to run every morning at 6am.
- Run a query against my Azure Sentinel-enabled Log Analytics workspace. My query looks for Incidents generated in the last 24 hours and only Medium or High level severity.
- Publish a new blog post containing the query results and use the ‘Alexa’ tag.
Here’s the query:
SecurityIncident
| where TimeGenerated > ago(1d)
| where Status == "New"
| where Severity == "Medium" or Severity == "High"
| project TimeGenerated, Title, Description, SeverityThe blog post that gets published is pretty simple:
And, there’s a separate blog post for each Incident that is captured in my results. If you have an active SOC, the list Alexa reads back could be a long one.
Now, everyone morning as part of my daily routine to listen to the news Alexa provides, she also gives me an account of the security issues requiring my attention, helping me prepare and build my workload for the day.
One big thing to be aware of: The blog post MUST BE public. The way the Blueprint works, the blog post must be publicly accessible so that the RSS feed is accessible. However, the Logic App connector supports posting private blog posts which is preferred so the content is only available to the SOC team. This is why I’ll be delving deeper into the Alexa API to surface better capability.
More to come…
P.S. Funny enough…Amazon would NOT let me name my skill anything that had the word “Azure” in it. I had to take ‘Azure’ out before I could save my creation.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
One thought on “How to Build an Alexa Skill to Report Critical Azure Sentinel Incidents Generated Overnight”