Microsoft¶
Microsoft Entra ID SAML integration¶
The goal of this document is to assist in configuring the SAML authentication with Microsoft Entra ID and Clear NDR®.
Entra ID Configuration¶
Log in to your Microsoft Azure Portal, click on the 3 lines on the top left and select Microsoft Entra ID
Then navigate to Enterprise applications
Click on New application:
Click on Create your own application:
Enter the name of your application and select Integrate any other application you don't find in the gallery (Non-gallery)
Then click on save.
Navigate to:
Then click on :
Fill in the following fields:
Identifier (Entity ID) : https://CNCS_IP/saml2/metadata/
Reply Url: https://CNCS_IP/saml2/acs/
Download the Federation Metadata XML file:
Configuration of Clear NDR¶
Log in to Clear NDR® and navigate the Administration site by clicking on any words below Administration on the left hand side:
In the Administration site, click on Global System Appliances in the drop down menu in the top left:
Navigate to Authentication and click:
Fill the following fields:
Identity Provider Url: this is the URL of the IdP, navigate to your Azure portal > Entra ID > Enterprise Applications and select the application you have created.
Click on Single Sign On and copy the App Federation Metadata URL:
Then upload the Identity Provider metadata (XML file you have downloaded in a previous step)
In the Service Provider section, fill in the following fields:
Service Provider Name: for example ProductionCNCS
Service Provider URL: https://production-scs.domain.com/
Tick Use name id as username (this is required for Azure ID integration”
NOTE: Click on Apply then Apply changes and wait for the task to finish succesfully.
User ID registration
Put the same username and same email address as it is careful set on ENTRA: be careful about the capital letters, they should be EXACTLY the same. Do not duplicate the name of the user with different email addresses: 1 username=1 email address= id on ENTRA
Disconnect and try to log with the SAML Authentification PUT first the email address and then click on the SAML button
For the rest of the configuration follow our Authentication documentation.
MS Teams integration¶
The goal of this document is to assist in configuring Clear NDR® to send notifications to MS Teams and provide WebHooks examples.
MS Teams Configuration¶
Channel configuration¶
Prior to configuring the incoming webhook, create a dedicated channel in your MS Teams deployment to receive alerts from Clear NDR®:
Incoming webhook configuration¶
Connect to your MS Teams app to create an Incoming Webhook.
Go to Apps and search for Incoming Webhook:
Select the Add to a team button to add the connector to the Team or Team channel name site where you want to send notifications.
Select the channel in which you an to send the notifications:
Choose a name for the Incoming webhook and click on Create
Copy the URL at the bottom of the page and paste it somewhere else. This URL will be re used when configuring the Webhook integration in Clear NDR®:
Delete Webhook configuration in MS Teams¶
If you need to delete the
Incoming webhook integration, navigate to the list of connectors in the MS Teams channel:
Click on Edit and then click on Configured on the left hand side:
Click on Manage and scroll to the bottom and click on Remove:
Clear NDR® Configuration¶
Log in to Clear NDR® and navigate the Administration site by clicking on any words below Administration on the left hand side:
In the Administration site, click on Integrations in the drop down menu in the top left:
Create a WebHook that will send an API command to the MS Teams channel:
Variable |
Purpose |
|---|---|
Name |
Name of the webhook you want to create |
Hook |
The alert you want to send to Sentinel One |
URL |
MS Teams channel URL (the one you copy and pasted earlier) |
Headers |
WebHook header |
HTTP Method |
The HTTP method expected by the API endpoint |
Template format |
The format of the request |
Template content |
The actual content of the request |
MS Team Webhook example¶
Send a message to a MS Teams channel
Name: MSTeamsTestMessage
Hook: Threat on Asset
URL: (example) https://cge962.webhook.office.com/webhookb2/5a9c4a1b-cff2-47bb-a718-bc654e5694f2@5984373b-b803-4e43-b16d-e5afa9a67738/IncomingWebhook/d2c6bf1822ec44eb8ad9f1dc528e3989/368102fa-7032-4ec8-b471-aff1aa79c63c
Headers: Content-Type: application/json
HTTP method: POST
Template format: Json
Template content:
{"text": "New Declaration of Compromise:
* Asset under attack: **{{ asset.value | tojson }}**
* Threat: **{{ threat.name | tojson }}**
* Threat Family: **{{ family.name | tojson }}**
* Killchain phase: **{{ killchain_name | tojson }}**
Investigate using Clear NDR Central Server: {{ family\_url | tojson }}"}
Verify HTTPS certificate: On
Use system proxy: On
Choose Tenant: Tick the relevant tenant
How this would look in Clear NDR®:
Send a test message by clicking on Test send in the Stamus interface. You should have a 200 OK reply as shown in the screen shot below from MS Teams.
This is what this test alert will look like in the MS Teams channel:
