Skip to main content
Skip table of contents

Microsoft Sentinel

What is Microsoft Sentinel?

Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise.

Why Should You Use the Microsoft Sentinel Connector?

The Microsoft Sentinel connector provides visibility into the logs, alerts, and incidents managed by Microsoft Sentinel. You can use this visibility to:

  • ensure each asset is running the latest version of the agent for Microsoft Sentinel

  • ensure assets are managed per your security policies

  • act upon alerts and incidents

How Does This Connector Work?

Lucidum executes read-only requests to the REST API for Microsoft Defender ATP and ingests only meta-data about Microsoft Defender. Lucidum does not retrieve any data stored on your assets.

Requirements

To use the Sentinel Connector in Lucidum:

  1. Before configuring the Microsoft Sentinel connector in Lucidum, you must first create a read-only application in Azure. If you are already using Lucidum to ingest data from Microsoft Azure and Azure AD, you can use the read-only application you created for Azure to also ingest data from Sentinel.

  2. You must add API permissions to the read-only application in Azure.

  3. You can then configure the Sentinel connector in Lucidum and start ingesting data from Microsoft Sentinel.

Prerequisite: Editing the Azure Application

If you are already using Lucidum to ingest data from Microsoft Azure and Azure AD, you have already created a read-only application in Azure that allows Lucidum to ingest data from Azure and Azure Active Directory. You can use the same application to ingest data from Sentinel.

If you are not already using Lucidum to ingest data from Microsoft Azure and Azure AD, you must create a read-only application in Azure before you can configure and use Microsoft Sentinel connector.

The Microsoft Sentinel connector retrieves data from these APIs:

  • Microsoft Sentinel Management API (Sentinel management API)

  • Microsoft Graph Security API (alerts API)

  • Log Analytics API (logs API)

The following sections describe how to edit the read-only application in Azure to allow access to these APIs.

Access to Microsoft Sentinel Management API

To allow the Azure application to access to the Microsoft Sentinel Management API:

  1. Log in to the Azure Portal (https://portal.azure.com/) with an Azure AD global administrator account.

  2. Navigate to the Resource Group for your implementation of Sentinel.

  3. Click Access Control (IAM).

  4. Click Add > Add role assignment.

  5. Add the following roles:

    • Microsoft Sentinel Contributor

    • Microsoft Sentinel Responder

    • Microsoft Sentinel Reader

Access to Microsoft Graph Security API

To edit the read-only application to allow access to the Microsoft Graph Security API:

  1. Log in to the Azure Portal (https://portal.azure.com/) with an Azure AD global administrator account.

  2. Select Azure Active Directory > App registrations. Navigate to your Azure application.

  3. Select API permissions > Add a permission > Microsoft Graph > Application permissions.

  4. Grant the app permissions to Microsoft Graph.

  5. Under Select permissions, select the following:

    • SecurityEvents.Read.All or

    • SecurityEvents.ReadWrite.All* (required for the Lucidum Sentinel Action to create security events)

  6. Select Add Permissions.

Access to the Log Analytics API

To edit the read-only application to allow access to the Log Analytics API:

  1. Log in to the Azure Portal (https://portal.azure.com/ ) with an Azure AD global administrator account.

  2. Select Azure Active Directory > App registrations. Navigate to your Azure application.

  3. In the Overview page, select API permissions.

  4. Select Add a permission.

  5. In the APIs my organization uses tab search for log analytics and select Log Analytics API from the list.

  6. Select Application permissions.

  7. Check the checkbox for Data.Read.

  8. Select Add permissions

  9. Next, grant your read-only Azure app access to your Log Analytics Workspace.

  10. Navigate to your Log Analytics Workspace.

  11. In the overview page, select Access control (IAM).

  12. Select Add role assignment.

  13. Select the Reader role.

  14. Select the Members tab.

  15. In the Members tab, select Select members.

  16. Enter the name of your read-only Azure app in the Select field.

  17. Choose your app and select Select.

  18. Select Review and assign.

Configuring the Sentinel Connector

To configure Lucidum to ingest data from Microsoft Sentinel:

  1. Log in to Lucidum.

  2. In the left pane, click Connector.

  3. In the Connector page, click Add Connector.

  4. Scroll until you find the Connector you want to configure. Click Connect. The Settings page appears.

Field

Description

Example

Client ID

Enter the Client ID for the Lucidum application in Azure. Client ID is the unique identifier for the Lucidum application in Azure Active Directory. Client ID is also called Application ID.

If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page.

33333333-0000-0000-0000-123456789123

Client Secret

Enter the Client Secret ID for the Lucidum application in Azure.

If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page.

 ************

Tenant ID

Enter the tenant ID. Tenant ID is a unique identifier for your instance of Azure.

If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page.

x0xxx10-00x0-0x01-0xxx-x0x0x01xx100

Log Analytics Security Alert Query

Query string to fetch the security alerts from Log Analytics in Azure.

SecurityAlert

This string fetches all alerts and all alert data from Log Analytics.

Log Analytics Heartbeat Query

Log Analytics query string to fetch the heartbeats. For examples of Heartbeat query strings, see: https://learn.microsoft.com/en-us/azure/azure-monitor/insights/solution-agenthealth#sample-log-searches

Heartbeat | summarize LastCall = max(TimeGenerated) by Computer | where LastCall < ago(24h)

This string fetches a count of unresponsive agents in the last 24 hours

Verify SSL.

For future use.

N/A

URL

The base URL for the Log Analytics Workspace in Azure.

If you select the KMS checkbox, Lucidum will use the URL specified in Settings > System Settings, in the Key Management page.

https://api.loganalytics.azure.com

 To test the configuration, click Test.

  • If the connector is configured correctly, Lucidum displays a list of services that are accessible with the connector.

  • If the connector is not configured correctly, Lucidum displays an error message.

Source Documentation

Creating an Application in Azure

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp?view=o365-worldwide

Allowing the Azure Read-Only App to Access Sentinel APIs

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-api-101/ba-p/1438928

Queries for Log Analytics

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-log-query

https://learn.microsoft.com/en-us/azure/azure-monitor/insights/solution-agenthealth#sample-log-searches

Microsoft Sentinel Management API

https://learn.microsoft.com/en-us/rest/api/securityinsights/

Microsoft Graph Security API

https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0

Microsoft Log Analytics API

https://learn.microsoft.com/en-us/rest/api/loganalytics/

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close