Microsoft Sentinel

Microsoft Sentinel is a cloud-native security information and event management (SIEM) service that helps you detect, prevent, and respond to security threats across your entire organization. For detailed information refer to the Microsoft’s official documentation.

Integration Method: API

Tables: Detection Finding (2004), Incident Finding (2005), Authentication (3002)

The integration supports the following events.

This integration supports the following versions.

Note:

Microsoft Sentinel is a continuously updated cloud service. As of the preparation of this document, the latest release was in January 2025.

Prerequisites

• The user should have access to the Azure portal with an account that has the Global Administrator privileges.

• The user should have access to the DataBee console.

Configuration Overview

1. Create an application with required permissions to fetch the data.

   1. Create an application

   2. Add endpoint access

   3. Create Resource Group and Workspace

   4. Add Access to Application to retrieve the data

   5. Get Resource Group and Workspace

   6. Create the client secret

2. Create Microsoft Sentinel data feed in the DataBee console with the required Client credentials.

   DataBee Parameter	Azure Parameter
   Client Key	Application (client) ID
   Client Secret	Client Secret Value
   Token URL(<tenant_id>)	Directory (Tenant) ID
   API URL (<subscriptionId>)	Subscription ID
   API URL (<resourceGroupName>)	Resource Group
   API URL(<workspaceName>)	Workspace Name

Azure Configuration

Create an application

1. Log on to Azure portal with an account that has the Global Administrator privilege.  

2. In the search bar, search for App registrations and select it.
    

3. On the “App registrations” page, select New registration, then “Register an application” window will appear.
    

4. On the “Register an application” window:

   1. Under ‘Name’ enter your Application Name then click on Register to create the application.

   

    

5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.
    

Add Endpoint Access 

Once the application is created, one permission should be provided to fetch data. The appropriate permissions for the application are needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints. 

Add Permissions 

From the Azure Active Directory portal:

1. Select the application registered in the previous step.

2. Under Manage, click API permissions and then click Add a permission, the “Request API permissions” window will appear.
    

3. On “Request API permissions” window, click on Microsoft APIs then on Microsoft Graph.
    
   

4. Click on Application permissions.
    

5. The following permissions need to be granted for the endpoint to function properly:

   Event	Type	Permission
   Workspace info	Application	ThreatIndicators.Read.All

   1. In the ‘Select permissions’ search bar, enter the permission shown above, and check the box to include them.

   2. From the ‘ThreatIndicators’ dropdown, select ThreatIndicators.Read.All permissions.

   

6. Click the Add permissions button after selecting all required permissions. 
    

7. On the “API permissions” page, click Grant Admin Consent for <tenant>.
    

8. Click the Yes button on the consent confirmation.
    

9. The necessary permissions have now been added for the endpoints. After this step, the permissions should include these minimum required permissions shown.
    

Create Resource Group and Workspace

1. In the search bar, search for Microsoft Sentinel and select it.

2. Click on the Create button to create a new resource group.
    

3. Click on the Create a new workspace button to create workspace.
    

4. Select the Subscription.
    

5. Enter the Workspace name.
    

6. Click the Create new button to create a new resource group or select an existing one.
    

7. Enter the resource group name.
    

8. Click on the OK button and then click on Review + Create button
    

9. Click on the Create button.
    

Add Access to Application to retrieve the data

1. To grant an application access to data, you must assign a role to it. To provide access to a resource group, navigate to the resource group created in the previous step then click on the Access control (IAM) button.
    

2. Click on the Add button then click on the Add role assignment.
    

3. Now click on the Reader role.
    

4. Select the application.

   1. Click on the + Select members button

   2. Select the application which we created in the Create an application step.

   3. Click on the Select button.

   

5. Click on the Next button.
    

6. Click on the Review + assign button.
    

Get Resource Group and Workspace

1. In the search bar, search for Microsoft Sentinel and select it.

2. Click on the workspace which we have created previously in Create Resource Group and Workspace.

    

3. Click on the Settings button.
    

4. Click on the Workspace settings button.
    

5. Copy the Subscription ID, Workspace Name, and Resource group name, as these will be required during the DataBee configuration.
    

Creating the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:  

1. Select the application created above.
    

2. Under Manage, click Certificates & secrets, and then Client secrets. 
    

3. Click New client secret. Then “Add a client secret” window appears. 
     

4. On “Add a client secret” window:

   1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

   2. Then click on Add to create the client secret.

    
   

   Note:

   The user needs to re-create the client secret when it expires.

5. Copy Client Secrets Value field for later use.
    

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for Microsoft Sentinel and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    
   

5. In the configuration page, enter the following:

   • Authorization Method: OAuth2

   • API Base URL: this is the base URL that DataBee will interact with.

   • Client Key: paste the Application (Client) ID generated earlier in the Azure portal.

   • Client Secret: paste the Client Secret value generated earlier in the Azure portal.

   • Token URL: replace <tenant_id> placeholder with your Directory (Tenant) ID.

   • Event Types: preselected for all the event types that integration pulls.

   • Subscription ID: paste the Subscription ID generated earlier in the Azure portal.

   • Resource Group Name: paste the Resource Group Name generated earlier in the Azure portal.

   • Workspace Name: paste the Workspace Name generated earlier in the Azure portal.

   

6. Click Submit.

Troubleshooting Tips

• If you encounter an Invalid client or Unauthorized client error, it may be due to incorrect credentials. Please double-check that the client key, client secret, and Tenant ID are entered correctly. Since the client secret is only visible upon creation, you may need to regenerate it. To avoid any issues, consider pasting it into a text editor to ensure there are no extra spaces or unexpected characters before reconfiguring the DataBee feed.

• If you receive an Unauthorized error, it may be because the client ID and client secret belong to different applications. Kindly verify that you are using credentials from the same application to resolve the issue.

• If we encounter a response code 403, it is likely due to missing permissions. Ensure that all required permissions are correctly granted as per the steps outlined above.