Ingest Alert, Incident, and Event data from Microsoft Sentinel on the AgileBlue Security Operations Platform. This integration collects data via the REST API and Event Hubs.
Overview
AgileBlue's integration with Microsoft Sentinel allows for ingestion of Alert and Incident data via the Microsoft Sentinel REST API. Event data is ingested from the Microsoft Azure Event Hub, allowing for wider visibility into related activity.
API Configuration
Follow the steps below to set up a Microsoft Azure application which will collect Alert and Incident data from Microsoft Sentinel via the REST API.
Configure Your Azure Application
- Log in to the Azure Portal using your Global Administrator credentials. (E.g. an account that is marked as Global Administrator.)
- Navigate to the Microsoft Entra ID under Azure services
- Select App Registrations in the left-hand menu
- Click New registration
- Name: AgileBlue Microsoft Sentinel
- Supported account types: Accounts in this organizational directory only (Your tenant only - Single tenant)
- Redirect URI: No value/not needed
- Select Register
Add Required Permissions
- Within the application created in the previous step, select View API permissions
- Click Add a permission
- Add the following Microsoft Graph permissions
- SecurityAlert.Read.All (Application & Delegated)
- User.Read (Delegated)
- After permissions have been selected, click Add permissions
- Select Grant admin consent for [your tenant name]
Create Client Secret Key & Collect Account Details
- Select Certificates & secrets from the left-hand menu
- Once the page loads, click New client secret
- On the pop out that appears, provide a Description of AgileBlue Microsoft Sentinel Collection Service and select your desired timeframe for expiration
- Please note this expiration date of the secret value
- Click Add
CAUTION! Depending on your version of Azure/Office365 and/or your security configurations, you may only have ONE CHANCE to grab this value. Be sure to copy this value and store it somewhere safe immediately. - Copy the Secret Value to a secure location
- NOTE: The Secret Value is different than the Secret ID. The required value may have numbers, letters, and special characters. The Secret ID will only include numbers, letters, and hyphens. Please ensure the Secret Value is collected, not the Secret ID.
- Navigate back to the Overview page and copy the following values:
-
Application (client) ID
- Directory (tenant) ID
-
Gather Additional Required Information
- Navigate to Microsoft Sentinel and select the desired workspace on your list
- Take note of the following information, which will need to be provided to AgileBlue:
- Workspace Name
- Subscription ID
- Resource Group
Event Hub Configuration
Follow the steps below to set up an Event Hub which will collect Event data from Microsoft Sentinel and stream this information back to AgileBlue.
Create a Resource Group
- Log into your Azure Portal
- Select Resource Group from the menu then click + Create
- Designate the Subscription in which the resource group should be created
- Assign a unique name to the group (Ex. AgileBlue-Resource-Group)
- Select the Region
- Click Review + Create
Create an Event Hubs Namespace
- Navigate to All Services in the left-hand menu and click Event Hubs under Analytics
- Click + Create in the top left-hand corner
- Select the subscription where your Sentinel environment is deployed
- Choose the Resource Group created in the prior section
- Input name for the Event Hubs Namespace
- Select a Location
- Select a pricing tier, likely Standard for this integration
- Click Review + Create
- Review the settings then click Create and wait for the deployment to complete
- Once on the Deployment page, click Go to resource
- Verify that you see the Event Hubs namespace page with the name provided earlier in this section
Create an Event Hub
- While on the Event Hubs namespace Overview page, click +Event Hub
- Give a name for the event hub (all lower case, no special characters other than -)
- Leave all other settings as default unless otherwise required
- Click Review + create
- On the following page, select Create if all settings look accurate
- Once the Event Hub is created, you will see it under the list of Event Hubs in the Event Hubs Namespace
Enable Log Analytics Export
- Navigate to the Log Analytics Workspaces
- Choose the Workspace associated with your Azure Sentinel deployment
- Go to Data Export
- Select New export rule
- Provide a rule name under the Basic section and select the desired tables you want to export to a storage account under the Source section
- Under Destination, enter select Event Hub as the Type and fill in the following the additional details (subscription, region, event hubs namespace, event hub name, etc.)
- Select Review + create then click Create
Gather Required Information
- Event Hub Connection string-primary key
- Navigate to the Event Hubs namespace and select Shared Access Policies
- Click RootManageSharedAccessKey and copy the connection string-primary key, which will need to be provided to AgileBlue
- Storage Account
- Navigate to All Services > Storage > Storage Accounts
- Click Create Storage Account and complete the settings based on the information created so far in this guide
- Note the Storage account name which will need to be provided to AgileBlue
- Click Review + create
- On the review page, copy the Storage Account Name and the values under Key 1 (Key and Connection string)
Send Required Information to AgileBlue
Once all prior steps have been completed, send the following information back to AgileBlue Support via a secure communication method:
- Azure Application
- Application (client) ID
- Directory (tenant) ID
- Secret Value
- Secret Value Expiration Date
- Event Hub
- Event Hub Name (NOTE: This is the name of the event hub, NOT the name of the Event Hubs namespace)
- Connection String
- Storage Account Name
- Storage Account Key
Questions? Contact AgileBlue Support.
Email: support@agileblue.com
Phone: (216) 606-9400