Microsoft Sentinel
  • 08 Jul 2024
  • 3 Minutes to read
  • Contributors
  • Dark
    Light

Microsoft Sentinel

  • Dark
    Light

Article summary

Microsoft Sentinel (formerly Azure Sentinel) is a cloud-native security information and event management (SIEM) service that provides intelligent security analytics and threat detection across the enterprise, integrating with Microsoft and third-party security solutions.

Setup and Configure

  1. Log on to Azure with a user account that has the Global Administrator role.

  2. Navigate to Microsoft Entra ID > App registrations > New registration. The "Register an application" page will appear. (If you have an existing application, you can also use that.)

  3. Enter the application's registration information (If you are creating a new application):

    1. In the ‘Name’ section, enter a meaningful application name that will be displayed to users.

    2. For ‘Supported account types’, click the Accounts in any organizational directory option.

    3. Set the ‘Redirect URI’ to http://localhost.

    4. Click on Register to create the application.

  4. On the app “Overview” page, copy the Application (client) ID and Directory (tenant) ID for later use.

Add Endpoint Access

To access the incidents and its related alerts data, you must grant the permission: ThreatIndicators.Read.All.

Endpoints needed for Microsoft Sentinel

Add Permissions

To add the permission, you must follow the below steps:

  1. Select the application whose logs are to be accessed (the application registered earlier on this page).

  2. Click API Permissions, and then click Add a Permission. The “Request API permissions” window appears.

  3. Click on Microsoft Graph.

  4. Click on Application Permissions and search for ThreatIndicators, then grant ThreatIndicators.Read.All permission.

  5. Click the Add permissions button after selecting all required permissions.

  6. On the “API permissions” page, click Grant Admin Consent for <tenant>.

  7. Click the Yes button on the consent confirmation. The required permissions are now added for the endpoint

Create the Client ID and Client Secret

The last step in configuring the Graph API is creating a Client ID and Client Secret. To create these items, from the Azure Portal:

  1. Select the application created above.

  2. Click Certificates & secrets, and then Client secrets.

  3. Click New client secret. The “Add a client secret” window appears.

  4. Enter a Description for this client secret.

  5. Select the desired expiry period from the ‘Expires’ drop-list.

  6. Click Add.

  7. Copy the Value field, which will be used to initialize the beat.

Create Resource Group and Workspace

  1. Search for Microsoft Sentinel.

  2. Select an existing resource group or create a new resource group using the Create button.

  3. Now, select a workspace or create a new workspace using the Create button.

  4. Select a subscription and add the resource group. If you need to create a new resource group, click the Create New button. Once you have added all the necessary details, click on Review + Create.

Add Access to the Application to retrieve the data

  1. To grant access to data for an application, we need to assign a role to the application. To give the application access to a resource group, we must open the resource group and navigate to Access Control. Please click on reference to know more.

  2. After navigating into access control, click on the Add button to add the role.

  3. Select Reader role from the list and click on the Next button.

  4. Now, select members from the Select Members screen. After making your selection, you will see the selected members appear in the Selected Members list.

  5. Once you select the member click on the Review + assign button.

Get Resource Group and Workspace

  1. Go to Microsoft Sentinel and select an existing one or use the previous steps to create a new workspace group.

  2. After Selecting workspace go to Settings > Workspace settings.

  3. You will see the screen below. We have the workspace name, resource group name, and subscription ID in that.

  4. Replace the workspace name, resource group, and subscription ID in the URL below.

    https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2024-03-01


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence