SIGNL4 uses a service principal in Azure ("App registration") when making calls to the Azure APIs. In addition, this principal is added to a custom user role which tailors access permissions to a minimum of required resources. And the best ist that you don't need to create all these things manually. Instead you can use a PowerShell script to have this done in a few moments.
Creating service principal and user role
Follow these steps to create the service principal in Azure:
- Download the PowerShell deployment script from here.
- Review the script and the roles and permission scopes it deploys for the new app registration. If you don't want to use the connector with Azure Sentinel, you could remove all role creation and role assignment code and only use it to create the app registration (SPN) in your Azure Active Directory.
- Make sure you have all dependent modules installed, which are listed on top of the script.
- Run the script.
- Initially, you are prompted to select the subscription in Azure that holds your Sentinel assets. Afterwards, the provisioning of the SPN and the according IAM role is completed automatically.
- At the end it outputs information that you need to enter in the connector app configuration which is explained in the next chapter. Please make a note of this information.
- In Azure AD, click on 'App Registrations'. Find the app with the name 'AzureSentinel and LogAnalytics Client for SIGNL4'.
Note: If you are service provider and want to attach multiple customer Azure tenants, you must run this script for each of your clients and create multiple connector apps in SIGNL4.
Optionally assign GraphAPI permissions
The connector app can use Graph Security API to further, non-Sentinel integrated security events from your Azure Subscriptions. If you want to use that functionality (maybe in another connector instance), please open "API permissions" from the details of the registered application and click add permission. Select Graph API on the displayed blade and add the permissions that are displayed in this image:
Finally, make sure to press the button "Grant admin consent".