Lansweeper App For Sentinel (Preview)

The Integration of Lansweeper app on the MS Sentinel Platform implements the investigative actions and enables end-users to implement any use cases as a combination of the below-mentioned actions. Authorization: Authenticate the connection with Lansweeper APIs using the Authorization Token from Logic app. List Authorized Sites: Retrieve the list of the authorized sites. Hunt IP or Hunt MAC: Get the asset details from the Lansweeper platform for the given Site ID and IP address or MAC address.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name Lansweeper Support team
URL https://www.lansweeper.com/kb/
Email [email protected]
Connector Metadata
Publisher Lansweeper
Website https://www.lansweeper.com/
Privacy policy https://www.lansweeper.com/privacy-policy/
Categories Security;IT Operations

The Lansweeper App for MSFT Sentinel allows SOC team members to leverage the Lansweeper capabilities of IT Asset discovery and identification, allowing it to be automated via the Microsoft Logic App.

It will allow end-users to implement any use cases on the Lansweeper Platform that are possible using a combination of the below-mentioned actions.

Authentication: Create a Logic app with a custom connector. Authenticate the connection with Lansweeper APIs using the API Key from Logic app.
List Authorized Sites: Retrieve the list of the authorized sites.
Hunt IP: Get the asset details from the Lansweeper platform for the given Site ID and IP address.
Hunt MAC: Provide the asset details from the Lansweeper platform for the given Site ID and MAC address

Prerequisites

  • An Azure subscription
  • Lansweeper API Authorization Token

How to get Authorization Token for Lansweeper API connection

Refer Personal Application to get Lansweeper API Authorization Token

How to use connector

Steps

You will need the following to proceed:

  1. Go to Azure Logic app → Logic app designer.
  2. Select triggers as per your requirement.
  3. Choose New step, then Add an action.
  4. Search for the Lansweeper App For Sentinel connector, then choose the action associated with that connector.
  5. Enter a name for the connection and the API key token that you have generated from above step : How to get Authorization Token for Lansweeper API connection.
  6. Use below mentioned GraphQL queries for List Authorized Sites, Hunt IP and Hunt MAC operations :

[List Authorized Sites]: Get site IDs

{
  authorizedSites
  {
    sites 
    {
      id
      name
    }
  }
}

[Hunt IP]: Get asset details using IP address

query getAssetResources 
{
  site(id: "{Site ID value}") 
  {
    assetResources
    (
      assetPagination: { limit: 20, page: {Currentpage value}, cursor: {Cursor value}}
      fields: 
      [
        "assetBasicInfo.name"
        "assetBasicInfo.userDomain"
        "assetBasicInfo.description"
        "assetBasicInfo.mac"
        "assetCustom.model"
        "batteries.availability"
        "graphicsCards.manufacturer"
        "networkAdapters.macAddress"
        "networks.ipAddressV4"
        "url"
      ]
      filters: 
      {
        conjunction: AND
        conditions: 
        [
          {
            operator: LIKE
            path: "assetBasicInfo.ipAddress"
            value: "{IP Address value}"
          }
        ]
      }
    ) 
    {
      total
      pagination 
      {
        limit
        current
        next
        page
      }
      items
    }
  }
}
  • {Site ID value}: Site ID for which we need to get asset details
  • {Currentpage value}: We have to specify FIRST, LAST or NEXT as value for current page.
     Fields like current and next contain what are called cursors. These cursors indicate from which element the current page should be filled.
     For more details refer link
  • {Cursor value}: The previous page can be obtained the same way but with the cursor current and page PREV.
     When using Currentpage value to FIRST or LAST, cursors are ignored.
     For more details refer link
  • {IP Address value}: Lookup IP Address to get asset details

[Hunt MAC]: Get asset details using MAC address

query getAssetResources 
{
  site(id: "{Site ID value}") 
  {
    assetResources
    (
      assetPagination: { limit: 20, page: {Currentpage value}, cursor: {Cursor value}}
      fields: 
      [
        "assetBasicInfo.name"
        "assetBasicInfo.userDomain"
        "assetBasicInfo.description"
        "assetBasicInfo.mac"
        "assetCustom.model"
        "batteries.availability"
        "graphicsCards.manufacturer"
        "networkAdapters.macAddress"
        "networks.ipAddressV4"
        "url"
      ]
      filters: 
      {
        conjunction: AND
        conditions: 
        [
          {
            operator: LIKE
            path: "assetBasicInfo.mac"
            value: "{MAC Address value}"
          }
        ]
      }
    ) 
    {
      total
      pagination 
      {
        limit
        current
        next
        page
      }
      items
    }
  }
}
  • {Site ID value}: Site ID for which we need to get asset details
  • {Currentpage value}: We have to specify FIRST, LAST or NEXT as value for current page.
     Fields like current and next contain what are called cursors. These cursors indicate from which element the current page should be filled.
     For more details refer link
  • {Cursor value}: The previous page can be obtained the same way but with the cursor current and page PREV.
     When using Currentpage value to FIRST or LAST, cursors are ignored.
     For more details refer link
  • {MAC Address value}: Lookup MAC Address to get asset details

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
API Token securestring The Token for this api True

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Get the list of Site IDs and Asset details

Retrieve list of Site IDs, Asset details for the given IP Address or MAC Address.

Get the list of Site IDs and Asset details

Retrieve list of Site IDs, Asset details for the given IP Address or MAC Address.

Parameters

Name Key Required Type Description
Content-Type
Content-Type True string

Content-Type

query
query string

query

Returns