Ready for
a Demo
View Categories

Microsoft Sentinel

What is Microsoft Sentinel? #

Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise.

Why Should You Use the Microsoft Sentinel Connector? #

The Microsoft Sentinel connector provides visibility into the logs, alerts, and incidents managed by Microsoft Sentinel. You can use this visibility to:

  • ensure each asset is running the latest version of the agent for Microsoft Sentinel

  • ensure assets are managed per your security policies

  • act upon alerts and incidents

How Does This Connector Work? #

Lucidum executes read-only requests to the REST API for Microsoft Defender ATP and ingests only meta-data about Microsoft Defender. Lucidum does not retrieve any data stored on your assets.

Requirements #

To use the Sentinel Connector in Lucidum:

  1. Before configuring the Microsoft Sentinel connector in Lucidum, you must first create a read-only application in Azure. If you are already using Lucidum to ingest data from Microsoft Azure, you can use the same read-only application to also ingest data from Sentinel.

  2. After you create a read-only application in Azure or if you are already using Lucidum to ingest data from Microsoft Azure, you must edit the read-only application to also ingest data from Sentinel. See the section on Editing the Azure Application to use this same read-only application with the Microsoft Sentinel connector.

  3. You must add API permissions to the read-only application in Azure.

  4. You can then configure the Sentinel connector in Lucidum and start ingesting data from Microsoft Sentinel.

Prerequisite: Editing the Azure Application #

If you are already using Lucidum to ingest data from Microsoft Azure and Azure AD, you have already created a read-only application in Azure that allows Lucidum to ingest data from Azure and Azure Active Directory. You can use the same application to ingest data from Sentinel.

If you are not already using Lucidum to ingest data from Microsoft Azure and Azure AD, you must create a read-only application in Azure before you can configure and use the same read-only application with the Microsoft Sentinel connector.

The Microsoft Sentinel connector retrieves data from these APIs:

  • Microsoft Sentinel Management API (Sentinel management API)

  • Microsoft Graph Security API (alerts API)

  • Log Analytics API (logs API)

The following sections describe how to edit the read-only application in Azure to allow access to these APIs.

Access to Microsoft Sentinel Management API #

To allow the Azure application to access to the Microsoft Sentinel Management API:

  1. Log in to the Azure Portal (https://portal.azure.com/) with an Azure AD global administrator account.

  2. Navigate to the Resource Group for your implementation of Sentinel.

  3. Click Access Control (IAM).

  4. Click Add > Add role assignment.

    ms_sentinel_connector_config1.png

  5. Add the following roles:

    • Microsoft Sentinel Contributor

    • Microsoft Sentinel Responder

    • Microsoft Sentinel Reader

Access to Microsoft Graph Security API #

To edit the read-only application to allow access to the Microsoft Graph Security API:

  1. Log in to the Azure Portal (https://portal.azure.com/) with an Azure AD global administrator account.

  2. Select Azure Active Directory > App registrations. Navigate to your Azure application.

  3. Select API permissions > Add a permission > Microsoft Graph > Application permissions.

  4. Grant the app permissions to Microsoft Graph.

    ms_sentinel_connector_config2.png

  5. Under Select permissions, select the following:

    • SecurityEvents.Read.All or

    • SecurityEvents.ReadWrite.All* (required for the Lucidum Sentinel Action to create security events)

  6. Select Add Permissions.

Access to the Log Analytics API #

To edit the read-only application to allow access to the Log Analytics API:

  1. Log in to the Azure Portal (https://portal.azure.com/ ) with an Azure AD global administrator account.

  2. Select Azure Active Directory > App registrations. Navigate to your Azure application.

  3. In the Overview page, select API permissions.

  4. Select Add a permission.

  5. In the APIs my organization uses tab search for log analytics and select Log Analytics API from the list.

  6. Select Application permissions.

  7. Check the checkbox for Data.Read.

    ms_sentinel_connector_config3.png

  8. Select Add permissions

  9. Next, grant your read-only Azure app access to your Log Analytics Workspace.

  10. Navigate to your Log Analytics Workspace.

  11. In the overview page, select Access control (IAM).

  12. Select Add role assignment.

    ms_sentinel_connector_config4.png

  13. Select the Reader role.

  14. Select the Members tab.

    ms_sentinel_connector_config5.png

  15. In the Members tab, select Select members.

  16. Enter the name of your read-only Azure app in the Select field.

  17. Choose your app and select Select.

  18. Select Review and assign.

    ms_sentinel_connector_config6.png

Configuring the Sentinel Connector #

To configure Lucidum to ingest data from Microsoft Sentinel:

  1. Log in to Lucidum.

  2. In the left pane, click Connector.

  3. In the Connector page, click Add Connector.

  4. Scroll until you find the Connector you want to configure. Click Connect. The Settings page appears.

Field

Description

Example

URL

The base URL for the Log Analytics Workspace in Azure.

https://api.loganalytics.azure.com

Client ID

Enter the Client ID for the Lucidum application in Azure. Client ID is the unique identifier for the Lucidum application in Azure Active Directory. Client ID is also called Application ID.

5dab08ad-3948-4605-aa68-948333ee64819

Client Secret

Enter the Client Secret ID for the Lucidum application in Azure.

 ************

Tenant ID

Enter the tenant ID. Tenant ID is a unique identifier for your instance of Azure.

You captured this value in step #8 when you created a read-only application in Azure.

30930e4c-6cea-4c29-89d8-81e55978da47

Workspace ID

Enter the workspace ID. Workspace ID is a unique environment in Azure that stores log data from Microsoft Sentinel and other Azure services.

To find the workspace ID:

  • Open your workspace in the Azure portal

  • Navigate to Settings > Agents management

  • Expand Log Analytics agent instructions

fc56a6f4-a83c-4e76-a9a2-8d8c4d2f228

Log Analytics Security Alert Query

Query string to fetch the security alerts from Log Analytics in Azure.

SecurityAlert

This string fetches all alerts and all alert data from Log Analytics.

Log Analytics Heartbeat Query

Log Analytics query string to fetch the heartbeats. For examples of Heartbeat query strings, see: https://learn.microsoft.com/en-us/azure/azure-monitor/insights/solution-agenthealth#sample-log-searches

Heartbeat | summarize LastCall = max(TimeGenerated) by Computer | where LastCall < ago(24h)

This string fetches a count of unresponsive agents in the last 24 hours

 To test the configuration, click Test.

  • If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.

  • If the connector is not configured correctly, Lucidum displays an error message.

Source Documentation #

Creating an Application in Azure #

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide

Allowing the Azure Read-Only App to Access Sentinel APIs #

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-api-101/ba-p/1438928

Queries for Log Analytics #

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log-query

https://learn.microsoft.com/en-us/azure/azure-monitor/insights/solution-agenthealth#sample-log-searches

Microsoft Sentinel Management API #

https://learn.microsoft.com/en-us/rest/api/securityinsights/

Microsoft Graph Security API #

https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0

Microsoft Log Analytics API #

https://learn.microsoft.com/en-us/rest/api/loganalytics/

What are your Feelings

Quick LInks

Linkedin Youtube X-twitter Facebook

@ 2024 Lucidum, Inc. 2024, Design By Sandman Studios

SOLUTIONS

COMPANY

RESOURCES

Solutions

COMPANY

Resource Library