Azure Sentinel

introduction this guide tells you how to authenticate the microsoft azure sentinel connector in swimlane using oauth 2 0 client credentials you will create an azure app, assign required permissions, collect required identifiers, and configure the connector in swimlane prerequisites azure access requirements you must have azure permissions to register applications under azure active directory assign api permissions view subscription and workplace information assign roles on the azure sentinel workspace required credentials during setup, you will collect client id client secret tenant id token url host url subscription id resource group name workspace name workspace id token urls action type token url log analytics query https //login microsoftonline com/{tenant id}/oauth2/token all other actions https //login microsoftonline com/{tenant id}/oauth2/v2 0/token host urls action type host url log analytics query https //api loganalytics azure com/ all other actions https //management azure com/ azure setup take the following steps to register the application navigate to azure portal > azure active directory > app registrations click new registration enter an application name choose accounts in this organizational directory only click register take the following steps to assign api permissions open api permissions tab click add a permission add the following permissions microsoft graph/securityevents readwrite all windowsdefenderatp/alert readwrite all take the following steps to generate a client secret navigate to certificates & secrets click new client secret add description and expiration copy and save the value this saved value is client secret take the following steps to collect required identifiers from app registration > overview , copy client id tenant id from the azure workspace sections, copy resource group name subscription id workspace name workspace id connector configuration in swimlane log in to turbine from the left hand navigation pane, click orchestration and click assets asset homepage opens click the plus icon to open the configure your connector asset window select microsoft azure sentinel from the asset type list fill in the asset settings and asset input as shown field description required/optional url host url based on action type required token url token url with tenant id included required client id client id from azure required client secret client secret from azure required scope optional, leave blank unless specified optional verify ssl enable/disable ssl verification optional http proxy optional proxy configuration optional fields with marks are required click create troubleshooting if you encounter a 403 error ensure the azure app is added to the sentinel workspace assign contributor role you have successfully authenticated the azure sentinel connector in swimlane