This document applies to Classic/Legacy Integrations. You may continue to use these integration configurations. While no active development is happening for these integrations, we continue to provide Classic/Legacy Integrations in the product. You do not have to move to MSI Integrations. If your support engineer or TSC recommends or you choose to move to MSI Integrations, you can take advantage of the latest features and functionality. For more information, see the MSI Integration documentation in the Integrations Overview.
Update Microsoft Azure Sentinel
- Identify or create credentials to access Sentinel with read access, at minimum.
- Add the Microsoft Sentinel Reader role to the app that you are creating and registering.
- Verify you have access to the Log Analytics API with Data.Read permission.
- Identify the following values in the Azure Web portal:These values are generated when you configure Azure Log Analytics.
- Client ID
- Client Secret
- Tenant ID
- Workspace ID
- Set up Tables in Log Analytics.
Queries in the Azure Sentinel integration will error if corresponding Tables are not configured in Log Analytics. For example, the default Malicious DNS Action Query in the integration needs the DnsEvents table in Log Analytics to be configured.
Access the Client ID, Client Secret, Tenant ID, and Workspace ID
If you do not already know the values required to add the Azure Sentinel integration, you must locate them in the Azure portal.
- Refer to the Microsoft documentation for further assistance identifying these values.
- If you have already noted the Client ID, Client Secret, Tenant ID, and Workspace ID for the Microsoft Azure Log Analytics Integration, you can reuse those values for the Azure Sentinel Integration.
- In the Azure Log Analytics portal, take note of your Workspace ID.
- In the Active Directory portal, take note of your Tenant ID.
- In the Active Directory portal, navigate to App registrations > New registration.
- Enter the required registration information.
- Take note of the Client ID.
- The required Redirect URI field can be set to your Director's URL.
- Navigate to the Certificates & Secrets page.
- Create a new client secret and take note of the value.
Add the Data.Read API Permission
- In the Azure Log Analytics portal, navigate to the API Permissions page.
- Add Log Analytics Data.Read permission.
- Get administrator approval for the application.
Grant Access to Log Analytics Workspace
- From your Log Analytics workspace overview page, select Access control (IAM).
- Select Add role assignment.
- Select the Reader role and then select Members.
- On the Members tab, choose Select members.
- Enter the name of your app in the Select box.
- Select your app and choose Select.
- Select Review + assign.
API Calls
The following API calls are used by the Validation Platform.
| Purpose | Call |
|---|---|
| Auth | Standard Azure: Azure Government (GovCloud): |
| Query Log Analytics | Standard Azure: Azure Government (GovCloud): |
Update the Validation Platform
Prerequisites
Information to gather before you start:
- Identify the Client ID unique to your application.
- Identify the Client Secret unique to your application.
- Identify the Tenant ID.
- Identify the Workspace ID.
Configure the Azure Sentinel Integration
Go to Settings > Integrations.
- Click Add Integration > Azure Sentinel.
You can add this as either a Local or Remote Integration.
- From the Host drop-down list, select the appropriate value depending on your Azure Sentinel environment:
- The entry ending in .io for standard Azure environments
- The entry ending in .us for Azure Government (GovCloud) environments
- Enter Client ID and Client Secret.
- Enter Tenant ID and Workspace ID.
Microsoft Azure Sentinel Integration
Expand Advanced options and update the information as necessary.
- (Optional) Update Query time (minutes) and Delay time (minutes). The Query time is the amount of time (minutes) before and after the query runs that the platform looks for events, while the Delay time is the amount of time (minutes) that the platform waits to run the first query after a Job Action starts. For example, you configure your integration with the following values: Query time = 5, Query interval = 30 seconds, and Delay time = 0. When a Job Actions starts at 12:00:00, the first time the query runs, the platform looks for events from 11:55:00 to 12:00:00. Then 30 seconds later, it looks for events from 11:55:30 to 12:00:30. This interval continues, with the last query looking from 12:00:00 to 12:05:00. If you instead configured the Delay time to equal 10, it would run the same query, but it wouldn't start that query until 12:10:00.If your monitors are set to run more frequently than the query time, this configuration impacts the pass/fail results for AEDA monitors.
- (Optional) Select Discover network devices automatically.
- Modify Field Name Mapping for the following, as necessary:
- Source IP
- Destination IP
- Source Port
- Destination Port
- Event Source Host
- Event Start Time
- Event Signature ID
- Event Description
- Email Sender
- Email Recipient
- Email Subject
- URL
- Username
- File hashes
Modify the Query Interval (seconds) and Event Time Adjustment (seconds), if necessary.
(Optional) Assign a Name.
(Optional) Choose Yes to Save Suspicious Events.
- (Optional) Update Query time (minutes) and Delay time (minutes).
Click Submit.
Microsoft Azure Sentinel Integration - Advanced Options
Set up Proxy Assignment
If all outbound connections go through a proxy, you may want to set up a proxy definition and assignment for your integration. For information on setting up your proxy rules, see Proxy Rules.
Verify connectivity
Click Test to verify that:
- The Director can communicate with the integration host on the port and protocol specified.
- The integration credentials are valid and working.