Microsoft¶
Microsoft Entra ID SAML integration¶
The goal of this document is to assist in configuring the SAML authentication with Microsoft Entra ID and Clear NDR®.
Entra ID Configuration¶
Log in to your Microsoft Azure Portal, click on the 3 lines on the top left and select Microsoft Entra ID

Then navigate to Enterprise applications

Click on New application
:

Click on Create your own application
:

Enter the name of your application and select Integrate any other application you don't find in the gallery (Non-gallery)

Then click on save.
Navigate to:

Then click on :

Fill in the following fields:
Identifier (Entity ID) : https://CNCS_IP/saml2/metadata/
Reply Url: https://CNCS_IP/saml2/acs/
Download the Federation Metadata XML file:

Configuration of Clear NDR¶
Log in to Clear NDR® and navigate the Administration site by clicking on any words below Administration
on the left hand side:

In the Administration site, click on Global System Appliances
in the drop down menu in the top left:
Navigate to Authentication
and click:

Fill the following fields:
Identity Provider Url
: this is the URL of the IdP, navigate to your Azure portal > Entra ID > Enterprise Applications
and select the application you have created.
Click on Single Sign On
and copy the App Federation Metadata URL:

Then upload the Identity Provider metadata (XML file you have downloaded in a previous step)

In the Service Provider section, fill in the following fields:
Service Provider Name: for example ProductionCNCS
Service Provider URL: https://production-scs.domain.com/
Tick Use name id as username
(this is required for Azure ID integration”

NOTE: Click on Apply
then Apply changes
and wait for the task to finish succesfully.
User ID registration

Put the same username and same email address as it is careful set on ENTRA: be careful about the capital letters, they should be EXACTLY the same. Do not duplicate the name of the user with different email addresses: 1 username=1 email address= id on ENTRA


Disconnect and try to log with the SAML Authentification PUT first the email address and then click on the SAML button
For the rest of the configuration follow our Authentication documentation.
MS Teams integration¶
The goal of this document is to assist in configuring Clear NDR® to send notifications to MS Teams and provide WebHooks examples.
MS Teams Configuration¶
Channel configuration¶
Prior to configuring the incoming webhook, create a dedicated channel in your MS Teams deployment to receive alerts from Clear NDR®:

Incoming webhook configuration¶
Connect to your MS Teams app to create an Incoming Webhook
.
Go to Apps
and search for Incoming Webhook
:

Select the Add to a team
button to add the connector to the Team or Team channel name site where you want to send notifications.

Select the channel in which you an to send the notifications:

Choose a name for the Incoming webhook and click on Create

Copy the URL at the bottom of the page and paste it somewhere else. This URL will be re used when configuring the Webhook integration in Clear NDR®:

Delete Webhook configuration in MS Teams¶
If you need to delete the
Incoming webhook integration
, navigate to the list of connectors in the MS Teams channel:

Click on Edit
and then click on Configured
on the left hand side:

Click on Manage
and scroll to the bottom and click on Remove
:

Clear NDR® Configuration¶
Log in to Clear NDR® and navigate the Administration site by clicking on any words below Administration
on the left hand side:

In the Administration site, click on Integrations
in the drop down menu in the top left:

Create a WebHook that will send an API command to the MS Teams channel:
Variable |
Purpose |
---|---|
Name |
Name of the webhook you want to create |
Hook |
The alert you want to send to Sentinel One |
URL |
MS Teams channel URL (the one you copy and pasted earlier) |
Headers |
WebHook header |
HTTP Method |
The HTTP method expected by the API endpoint |
Template format |
The format of the request |
Template content |
The actual content of the request |
MS Team Webhook example¶
Send a message to a MS Teams channel
Name: MSTeamsTestMessage
Hook: Threat on Asset
URL: (example) https://cge962.webhook.office.com/webhookb2/5a9c4a1b-cff2-47bb-a718-bc654e5694f2@5984373b-b803-4e43-b16d-e5afa9a67738/IncomingWebhook/d2c6bf1822ec44eb8ad9f1dc528e3989/368102fa-7032-4ec8-b471-aff1aa79c63c
Headers: Content-Type: application/json
HTTP method: POST
Template format: Json
Template content:
{"text": "New Declaration of Compromise:
* Asset under attack: **{{ asset.value | tojson }}**
* Threat: **{{ threat.name | tojson }}**
* Threat Family: **{{ family.name | tojson }}**
* Killchain phase: **{{ killchain_name | tojson }}**
Investigate using Clear NDR Central Server: {{ family\_url | tojson }}"}
Verify HTTPS certificate: On
Use system proxy: On
Choose Tenant: Tick the relevant tenant
How this would look in Clear NDR®:


Send a test message by clicking on Test send
in the Stamus interface. You should have a 200 OK reply as shown in the screen shot below from MS Teams.

This is what this test alert will look like in the MS Teams channel:
