Microsoft Azure Sentinel Connector

overview the azure sentinel connector facilitates seamless integration with azure sentinel's siem and soar capabilities, enabling automated threat response and management microsoft azure sentinel is a scalable, cloud native security information event management (siem) and security orchestration automated response (soar) solution this connector enables swimlane turbine users to automate incident response and management, streamline comment additions, rule creation, and updates directly within azure sentinel by integrating with azure sentinel, users can enhance their security posture, reduce response times, and leverage a comprehensive view of their security landscape without leaving the swimlane platform prerequisites before you can use the microsoft azure sentinel connector for turbine, ensure you have the following oauth 2 0 client credentials authentication with the following parameters url endpoint for azure sentinel api client id unique identifier for the registered azure application client secret confidential secret key for the registered azure application token url endpoint to retrieve the oauth2 token token url use the following as the token url, to run the log analytics query action, use https //login microsoftonline com/{tenant id}/oauth2/token for all other actions, use https //login microsoftonline com/{tenant id}/oauth2/v2 0/token host url to run the log analytics query action, use https //api loganalytics azure com/ for all other actions, use https //management azure com/ action setup to run the incident management actions, you need a resource group name , subscription id and workspace name steps to create the azure app go to the app registration page https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission add the following permissions microsoft graph / securityevents readwrite all windowsdefenderatp / alert readwrite all navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page go back to the main azure portal windows, and click on your app overview copy the following values resource group name subscription id workspace name workspace id if you are connecting to azure government cloud the config should be (differences in red) url https //management usgovcloudapi net token url https //login microsoftonline us/tenant id/ oauth2 /v2 0/token client id client id client secret client secret scope https //management usgovcloudapi net/ default action inputs depending on the azure sentinel action there will be some additional inputs that need to be configured for example if you use the action list incidents there will be a subscription id, a resource group name and a workspace name actions may not have the scope filled in from the asset (there is currently a known bug (spt 21966) documenting this behavior for the graph connector) at this time it is probably best to add the scope manually to each action scopes for microsoft apis are typically default so the scope for azure sentinel would typically be https //management azure com/ default note that the scope will be different for azure government cloud as noted above path parameters subscription id subscription id resource group name resource group name workspace name workspace name parameters api version 2023 02 01 filtering the azure sentinel query if you want to filter the azure sentinel query and only fetch certain events you can add the filter parameter by using add a property under the parameters once you add the filter input you need to use the odata query structure more info can be found here in this example we are using the title key under the properties key and using equals sample incident the key structure is done like this properties/title (with a forward slash between key and subkey) we use eq for equals the match string has to be in single quotes (double quotes will fail) capabilities the microsoft azure sentinel connector provides the following capabilities create or update fusion alert rule create or update incident create or update mssic(microsoftsecurityincidentcreation) alert rule create or update saved searches create or update scheduled alert rule delete alert rules delete incident delete incident comments delete saved searches get alert entities get alert rules by rule id get incident get incident comment get saved searches list alert rules list by workspace saved searches list incident alerts list incident bookmarks list incident comments list incident entities list incidents run analytics query update incident comment known issues if you get a 403 http error, you have to add that azure app to the sentinel workspace and assign the contributor role to it notes