Microsoft Azure Sentinel Connector

overview the azure sentinel connector enables integration with microsoft's siem and soar solution, facilitating advanced security automation and orchestration within the swimlane platform microsoft azure sentinel is a scalable, cloud native security information event management (siem) and security orchestration automated response (soar) solution this connector enables swimlane turbine users to automate the management of alert rules and incidents within azure sentinel, streamlining threat detection, response, and management workflows by integrating with azure sentinel, users can enhance their security posture with automated actions such as creating, updating, and deleting rules and incidents, thereby reducing response times and improving efficiency prerequisites to effectively utilize the microsoft azure sentinel connector with swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for secure authentication, which include url the endpoint url for azure sentinel api access client id the application (client) id registered in azure active directory client secret the application secret that was created in the app registration process token url the url to retrieve the authentication token from azure active directory token url use the following as the token url to run the log analytics query action, use https //login microsoftonline com/{tenant id}/oauth2/token for all other actions, use https //login microsoftonline com/{tenant id}/oauth2/v2 0/token host url to run the log analytics query action, use https //api loganalytics azure com/ for all other actions, use https //management azure com/ action setup to run the incident management actions, you need a resource group name, subscription id, and workspace name steps to create the azure app go to the app registration page in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission and add the following permissions microsoft graph / securityevents readwrite all windowsdefenderatp / alert readwrite all navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page go back to the main azure portal window and click on your app overview copy the following values resource group name subscription id workspace name workspace id capabilities create or update fusion alert rule create or update incident create or update mssic (microsoftsecurityincidentcreation) alert rule create or update saved searches create or update scheduled alert rule delete alert rules delete incident delete incident comments delete saved searches get alert entities get alert rules by rule id get incident get incident comment get saved searches list alert rules list by workspace saved searches list incident alerts list incident bookmarks list incident comments list incident entities list incidents run analytics query update incident comment known issues if you get a 403 http error , you have to add that azure app to the sentinel workspace and assign the contributor role to it notes incident management api saved searches api analytics query analytics query auth and permissions api version documentation