Guides
/
Provider Configuration
/
Microsoft Sentinel SIEM Configuration Guide

This guide walks you through creating a Microsoft Entra ID application with permissions to access your Microsoft Sentinel instance, and gathering all of the necessary configuration values to create a Microsoft Sentinel integration.

Create a Microsoft Entra ID Application and Service Principal

Before you begin, you must have access to the Microsoft Azure portal and have a Microsoft Sentinel instance provisioned for a Log Analytics workspace.

1. Create Entra ID Application

API access is granted to a service principal, which is create by registering a new Application with Entra ID. Follow the Microsoft documentation to create the application. When complete, note the tenant ID, Application (client) ID, and the client secret to a safe location.

2. Assign permissions to the service principal

Note the modified permissions below when following the Microsoft documentation.

Once you have the application registered, add permissions and roles as described in the Microsoft Authentication documentation.

When adding API permissions, the Microsoft documentation suggests adding Data.Read as a 'Delegated' permission, but this does not grant the service principal access. Instead, add the Data.Read permission as an 'Application' permission. Once done, make sure you enable the permission by clicking the 'Grant admin consent' button.

When adding the Log Analytics Role Assignments, the documentation only notes adding the 'Reader' role. For full functionality, add all of the following roles:

  • Reader
  • Microsoft Sentinel Contributor

3. Gather the log analytics workspace values

On the Log Analytics workspace overview page, find the 'Resource group' name, 'Subscription ID', 'Workspace Name', and 'Workspace ID'. Note these values in a safe location along with you application authentication values.

Configure the Integration

Create your integration by supplying all of the required and any desired optional values.

Logs URL (Optional) The root URL for the Microsoft Azure Monitor Logs API. This is optional and should only be supplied if using an alternate Microsoft cloud, such as GovCloud. Default "https://api.loganalytics.azure.com".

Management URL (Optional) The root URL for the Microsoft Azure Management API. This is optional and should only be supplied if using an alternate Microsoft cloud, such as GovCloud. Default "https://management.azure.com".

Tenant ID This is the 'Directory (tenant) ID' gathered in step 1

Client ID This is the 'Application (client) ID' gathered in step 1

Client Secret This is the client secret gathered in step 1

Resource Group This is the 'Resource Group' gathered in step 3

Subscription ID This is the 'Subscription ID' gathered in step 3.

Workspace ID This is the 'Workspace ID' gathered in step 3

Workspace Name This is the 'Workspace Name' gathered in step 3

Previous page
Next page