All Collections
Integration Guide
Azure Microsoft Sentinel Integration
Azure Microsoft Sentinel Integration
Muhammad Omar Khan avatar
Written by Muhammad Omar Khan
Updated over a week ago

About Microsoft Sentinel

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM). Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Microsoft Sentinel and SIRP integration allow SOC teams to ingest incidents, alerts, and entity data from Microsoft Sentinel and accelerate threat identification and investigation. Bidirectional integration between SIRP SOAR and Microsoft Sentinel enables SOC teams to orchestrate and automate response actions through playbooks. It cuts back the detection, investigation, and response time dramatically.

Supported Actions

SIRP’s Microsoft Sentinel integration app allows you to execute the following actions:

S.no

Action

Description

1

Get Incidents

Ingest Incidents from Microsoft Sentinel

2

Get Incident Alerts

Fetch Alerts of a particular Incident from Microsoft Sentinel

3

Get Incident Entities

Fetch artifacts of a particular Incident from Microsoft Sentinel

4

Update Classification

Update Incident classification in Microsoft Sentinel

5

Update Severity

Update the Incident's severity in Microsoft Sentinel

6

Update Status

Update Incident's status in Microsoft Sentinel

Enable and Configure Microsoft Sentinel

1. Launch Azure CLI

Open Azure CLI installed on your machine or go to https://shell.azure.com which allows you to execute all your Azure CLI commands in your browser without having to install locally.

2. Get Subscription ID

Run the following command in your Azure CLI

> az account show --query id -o tsv

2. Create a Service Principal

A service principal is an Azure account that allows you to perform actions on Azure resources. It is an identity created for use with applications, hosted services, and automated tools to access Azure resources. In this case, it is to be used to generate the tokens that SIRP needs to authenticate with the Azure Rest APIs. Click here to learn more about Service Principals.

To create a service principal in your tenant run the following command in your Azure CLI

> az ad sp create-for-rbac --role contributor --scopes /subscriptions/<subscription id>/resourceGroups/<resource name>

4. Get the Resource Group Name

In Azure, you logically group related resources to deploy, manage and maintain them as a single entity. The resource group is a container that holds these related resources for an Azure solution. These resources can be virtual machines, storage accounts, virtual networks, web apps, databases, and/or database servers. Click here to learn more about Azure Resource Groups.

A resource group is the first thing that is created while setting up Azure Sentinel.

To open fine your resource by resource group:

  1. Sign in to the Azure portal

  2. In the left pane, select Resource groups

  3. Copy the name of the resource group in which you created the Log Analytics workspace.

5. Get Log Analytics Workspace Name

Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.

Log Analytics workspace is the environment for Azure Monitor log data. Each workspace has its own data repository and configuration, and data sources and solutions are configured to store their data in a particular workspace. A workspace has a unique workspace ID and resource ID. You can reuse the same workspace name when in different resource groups.

Azure Sentinel runs on the Log Analytics workspace and uses it to store all security-related data.

To find your workspace name, In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces. Find and copy the name of your workspace.

Enable the Azure Sentinel App in SIRP

  1. First, log in to SIRP, then go to Apps from the left navigation bar.

  2. Locate the app named Azure Sentinel.

  3. Enable the app by clicking on the toggle button under the Status Column.

  1. Once you enable the App, click the configure option to integrate SIRP with Azure Sentinel.

  2. Add the following details and click Save:

Parameter

Value

Host

leave it as it is management.azure.com

APP-ID

appId from the service principal creation output above

APP-Secret

password from the service principal creation output above

Tenant-ID

tenantId from the service principal creation output above

Subscription-ID

subscriptionId from the get subscription output above

Resource-Group

Resource group name copied from the Get Resource Group section above

Workspace-Name

Workspace name copied from the Get Log Analytics Workspace Name section above

Did this answer your question?