A prize-winning community integration between Rumble and Microsoft Sentinel

(updated ), by Pearce Barry

Josh Lucas, a cybersecurity engineer at Loop Secure, recently took first place in Microsoft’s Sentinel Hackathon for his submission, “Rumble Network Discovery solution for Microsoft Sentinel.” For his project, Josh was looking for a way to better enable security teams during incident response, so he designed his solution to include “information that isn’t readily available from other solutions.” Josh achieved this by supplementing Microsoft Sentinel with two key Rumble strengths: asset discovery and custom integrations.

Microsoft’s Ann Johnson, Corporate Vice President of Security, Compliance & Identity (SCI) Business Development, shared the following on Josh’s win:

"Today’s threat landscape requires that customers deploy intelligent solutions at speed and scale. The Rumble Network Discovery solution offers deep Microsoft Sentinel integration with rich analytics, providing customers with new capabilities and enabling them to realize value faster. Its completeness makes the solution a standout amongst the hackathon competition."

Here at Rumble, we are very excited to hear of Josh’s winning submission! Congrats, Josh! Let’s take a look at the Rumble capabilities he used (and a few other Rumble capabilities, as well). Hopefully, you’ll find some inspiration for your next project or solution.

Design overview

Josh authored a very detailed writeup (and video), including a link to all the pieces you need to recreate his project. The following is a simplified diagram of his solution:

Microsoft Sentinel and Rumble solution diagram

Illustrated above, Josh’s solution utilizes a custom integration with the Rumble API and Rules Engine to send Rumble asset and service inventory data to Microsoft Sentinel (via Azure Functions). In addition to custom integration support, Rumble also offers a number of ready-to-use integrations.

Best-in-class asset discovery

The Rumble Explorer is a lightweight scan engine that can be easily deployed and scheduled to perform network scans, including recurring scans. Network assets discovered via these scans will populate into the asset inventory, creating new entries for first-time-seen assets, updating existing entries for previously-seen assets, and marking assets no longer seen as “offline.” Each asset is fingerprinted to provide as much data and context as possible about a particular asset, including the type of asset, vendor, and operating system. Fingerprinting is also performed for each discovered service running on an asset, including protocol, product, and vendor.

Josh’s project relies on Rumble for asset and service discovery, which feeds detailed inventory data into Microsoft Sentinel to “enrich hunting queries with contextual network information and provide insights.”

Pulling asset service inventory via the Rumble API

The Rumble REST API offers robust support for custom integrations. You can do things like pull asset and service data, manage scans, manage account settings, and much more. To see what you can do, check out all of the available Rumble API endpoint details in our Swagger doumentation.

For his project, Josh utilizes the Rumble API to populate Rumble-discovered asset and service inventory data into Sentinel (via Azure Functions).

Webhooks via rules

The Rumble Rules Engine is a highly configurable feature. It provides the ability to automatically detect conditions and events, such as account logins, scan completions, and changes in inventory. Additionally, you can specify an action to automatically trigger based on certain conditions and events, like tagging certain assets following a scan or sending an alert if a high-value asset wasn’t found.

Josh’s project uses the Rumble Rules Engine to determine when new assets have been discovered (“new-assets-found”) or existing assets have changed (“assets-changed”), and he automatically forwards appropriate details via webhook to Azure Functions, which updates Sentinel with the latest data.

But wait, there’s more!

Not ready to build your own custom integrations? Take a look at Rumble’s ready-to-use integrations. Rumble regularly adds new integrations, so keep checking back to see what’s new.

Working on an integration with Rumble?

We’d love to hear from you. Reach out to us if you have questions or need help.

Contact us
Join our team

Similar Content

June 7, 2022

Rumble 2.14: Sync assets, software, and vulnerability data from Tenable, run external discovery from our cloud, and extend your Microsoft Azure coverage

What’s new with Rumble 2.14? Sync assets, software, & vulnerability data from Tenable Discover external assets with Rumble cloud-hosted scanners Track Azure Function Apps through the Microsoft Azure integration Sync assets, software, and vulnerability data …

Read More

May 10, 2022

Rumble 2.13: Sync assets & software from SentinelOne, track more cloud resources, view cross-organization inventory, and schedule automated reports

What’s new with Rumble 2.13? Sync asset and software inventory from SentinelOne Explore software identified through Rumble scans Track more cloud resources from AWS, Azure, and GCP Work with your asset inventory across organizations Schedule and email the …

Read More

April 5, 2022

Rumble 2.12: Generate organization reports, create scan templates, synchronize GCP, and invite external users

What’s new with Rumble 2.12? Generate Organization Overview Report for stakeholders Create scan templates to simplify scan management Synchronize your GCP virtual machines to Rumble Invite external Rumble users to your account Fingerprints and protocol updates User …

Read More