Integration
There are various ways that Wortell Managed Detection and Response can interact with a customer environement.
Collecting Alerts
Wortell uses it’s Vidara platform to collect alert related date from the customer tenant. This data is required for automation or an Managed Detection and Response Engineer to respond on incidents. Wortell uses two APIs to collect alert information:
- Azure Sentinel API - Azure Sentinel is collecting alerts and logs in a customer tenant. Based on this data, Azure Sentinel will create incidents. Wortell uses the Azure Sentinel API to collect incidents that have been created by Azure Sentinel.
- Microsoft Graph Security API - The Graph Security API is used for Security Products that do not have a Azure Sentinel connector available.
Execute KQL queries in Azure Sentinel
For various activities, such as investigating an incident or threat hunting, Wortell needs to execute KQL queries in Azure Sentinel.
Queries will get executed by the following type of accounts:
- Sevice Principals will be used for automated executing of queries by the Vidara platform.
- Named user accounts trough Azure Lighthouse will be used by Managed Detection and Response engineers to execute KQL queries manually.
Defender for Endpoint
For various activities, such as investigating or remediating an incident, threat hunting or vulnerability management, Wortell needs access to Defender for Endpoint
Activities will get executed by the following type of accounts:
- Sevice Principals will be used for automated activities in the Vidara platform
- Named user accounts will be used by Managed Detection and Response engineers to execute activities manually.