About Microsoft Sentinel
Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM). Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Microsoft Sentinel and SIRP integration allow SOC teams to ingest incidents, alerts, and entity data from Microsoft Sentinel and accelerate threat identification and investigation. Bidirectional integration between SIRP SOAR and Microsoft Sentinel enables SOC teams to orchestrate and automate response actions through playbooks. It cuts back the detection, investigation, and response time dramatically.
Supported Actions
SIRP’s Microsoft Sentinel integration app allows you to execute the following actions:
S.no | Action | Description |
1 | Get Incidents | Ingest Incidents from Microsoft Sentinel |
2 | Get Incident Alerts | Fetch Alerts of a particular Incident from Microsoft Sentinel |
3 | Get Incident Entities | Fetch artifacts of a particular Incident from Microsoft Sentinel |
4 | Update Classification | Update Incident classification in Microsoft Sentinel |
5 | Update Severity | Update the Incident's severity in Microsoft Sentinel |
6 | Update Status | Update Incident's status in Microsoft Sentinel |
Network Prerequisites
Connectivity on port 443 at domain management.azure.com
Enable and Configure Microsoft Sentinel
1. Launch Azure CLI
Open Azure CLI installed on your machine or go to https://shell.azure.com which allows you to execute all your Azure CLI commands in your browser without having to install locally.
2. Get Subscription ID
Run the following command in your Azure CLI
> az account show --query id -o tsv
2. Create a Service Principal
A service principal is an Azure account that allows you to perform actions on Azure resources. It is an identity created for use with applications, hosted services, and automated tools to access Azure resources. In this case, it is to be used to generate the tokens that SIRP needs to authenticate with the Azure Rest APIs. Click here to learn more about Service Principals.
To create a service principal in your tenant run the following command in your Azure CLI
> az ad sp create-for-rbac
--role contributor --scopes /subscriptions/<subscription id>/resourceGroups/<resource name>
4. Get the Resource Group Name
In Azure, you logically group related resources to deploy, manage and maintain them as a single entity. The resource group is a container that holds these related resources for an Azure solution. These resources can be virtual machines, storage accounts, virtual networks, web apps, databases, and/or database servers. Click here to learn more about Azure Resource Groups.
A resource group is the first thing that is created while setting up Azure Sentinel.
To open fine your resource by resource group:
Sign in to the Azure portal
In the left pane, select Resource groups
Copy the name of the resource group in which you created the Log Analytics workspace.
5. Get Log Analytics Workspace Name
Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
Log Analytics workspace is the environment for Azure Monitor log data. Each workspace has its own data repository and configuration, and data sources and solutions are configured to store their data in a particular workspace. A workspace has a unique workspace ID and resource ID. You can reuse the same workspace name when in different resource groups.
Azure Sentinel runs on the Log Analytics workspace and uses it to store all security-related data.
To find your workspace name, In the Azure portal, click All services. In the list of resources, type Log Analytics. As you begin typing, the list filters based on your input. Select Log Analytics workspaces. Find and copy the name of your workspace.
Enable the Azure Sentinel App in SIRP
First, log in to SIRP, then go to Apps from the left navigation bar.
Locate the app named Azure Sentinel.
Enable the app by clicking on the toggle button under the Status Column.
Once you enable the App, click the configure option to integrate SIRP with Azure Sentinel.
Add the following details and click Save:
Parameter | Value |
Host | leave it as it is management.azure.com |
APP-ID |
|
APP-Secret |
|
Tenant-ID |
|
Subscription-ID |
|
Resource-Group | Resource group name copied from the Get Resource Group section above |
Workspace-Name | Workspace name copied from the Get Log Analytics Workspace Name section above |