Pasar al contenido principal
Products
Red Sift Solution for Microsoft Sentinel
https://catalogartifact.azureedge.net/publicartifacts/redsift.redsift-sentinel-events-4f8bf6b4-f2f3-4c9e-981c-35d3f8f92b11/image2_Variant4whitebg216x216.png

Red Sift Solution for Microsoft Sentinel

por Red Sift

Ingest Red Sift authentication events and OnDMARC email forensics into Microsoft Sentinel

The Red Sift Solution for Microsoft Sentinel brings telemetry directly from the Red Sift Platform, including Red Sift authentication activity and OnDMARC email forensics, directly into your Microsoft Sentinel workspace to track threats. Events are delivered using the Codeless Connector Framework (CCF) push model with a Data Collection Endpoint (DCE) and Data Collection Rule (DCR), so no polling agents or custom code are required.


Once deployed, Red Sift posts events to your Sentinel workspace using an Entra app registration that is automatically provisioned during install. Authentication events land in `RedSiftAuth_CL` and email forensics events land in `RedSiftEmailForensics_CL`, ready to be queried, joined with other Sentinel sources, and used to drive detections, hunts and incidents.


Content included in this solution

- Data Connectors: 1 (Red Sift Events – CCP Push, covering Pulse auth + OnDMARC email forensics)

- Analytic Rules: 5

- Red Sift – Login from previously unseen IP address

- Red Sift – MFA disabled on account

- Red Sift – New email with URL from previously unseen sender

- Red Sift – New email with URL from previously unseen source

- Red Sift – Email with URL to previously unseen domain

- Custom tables: `RedSiftAuth_CL`, `RedSiftEmailForensics_CL`


Prerequisites

- An active Microsoft Sentinel workspace.

- A Red Sift tenant with access to Pulse and/or OnDMARC. Sign up or learn more at redsift.com.

- Permission to create an Entra ID app registration (Application Developer role or higher).

- Permission to assign the Monitoring Metrics Publisher role on the Data Collection Rule (Owner or User Access Administrator).

________


Key Features


Available Event Types

  • Audit Logs - Capture user and account activity across Red Sift products like OnDMARC, Brand Trust, and Certificates.

  • Forensics - An event is sent for every Forensics report when they are processed. For maximum flexibility, events are split into two kinds:
    - With URLs: Forensics reports for emails that include URLs in their body. The URLs may be useful as signatures for anti-phishing software or IoCs (indicators of compromise) for investigation.
    - Without URLs: Forensics reports for emails that did not include URLs in their body.

De un vistazo

https://catalogartifact.azureedge.net/publicartifacts/redsift.redsift-sentinel-events-4f8bf6b4-f2f3-4c9e-981c-35d3f8f92b11/image3_RedSiftconnector1.png
https://catalogartifact.azureedge.net/publicartifacts/redsift.redsift-sentinel-events-4f8bf6b4-f2f3-4c9e-981c-35d3f8f92b11/image4_Connectoropenwithavailableanalyticrules1280x720.png
https://catalogartifact.azureedge.net/publicartifacts/redsift.redsift-sentinel-events-4f8bf6b4-f2f3-4c9e-981c-35d3f8f92b11/image5_ForensicsemailwithURLfromanunseensourceIPRule1280x720.png
https://catalogartifact.azureedge.net/publicartifacts/redsift.redsift-sentinel-events-4f8bf6b4-f2f3-4c9e-981c-35d3f8f92b11/image7_Ruletriggeredanalertwheneventdetected1280x720.png