With setup step 1 you have created a service principal in Azure that is used by the connector app when accessing Azure APIs. The service principal credential data consists of the following and must be entered in the connector app configuration:
- Azure tenant ID
- Azure subscription ID
- App client ID
- App client secret
Create a new connector app in SIGNL4
In SIGNL4, open the Apps menu of your team and search for "Azure Sentinel, SC, etc." and lick "Create".
Configure the app parameters as described in the table below.
|Subscription Id||Azure Subscription ID of the subscription you want to get security events from|
|Tenant Id||Your Azure tenant ID|
|Client Id||Client Id that was created and displayed when creating the SPN in Azure using the PS script|
|Client Secret||Client secret that was created and displayed when creating the SPN in Azure using the PS script|
|Azure Sentinel Log Analytics Workspace||
Sentinel security events (incidents) can be augmented with search result data of the underlaying security alerts that triggered the incident. The search results often give more context when investigating an incident.
If you leave this field empty, no augmentation will be done by the connector.
|Azure Sentinel Resource Group||
The name of the resource group in which your Microsoft Sentinel solution is deployed. If you read alerts directly from the Sentinel API (see next parameter) this value is required.
Otherwise this value is optional and also used to augment incidents with search results from their underlaying security alerts.
|Read security events from||
You can select the Azure API that is used to read security alerts / incidents from.
If Microsoft Sentinel is your single pane of glass solution for SIEM and all security events are fed into Sentinel, select "Microsoft Sentinel API" here.
If on the other hand, you have assets in Azure that are not integrated with Sentinel and rather use solutions like Defender for Cloud to manage security of those assets, you may select "Microsoft Graph Security API" here. Graph Security API also provides access to security alerts from different sources such as MS Sentinel or Defender for Cloud.
|Filter Severity||Select incident severities you wish to get Signls for in SIGNL4. you may e.g. deselect low severity.|
|Tags for Sentinel incident after Signl creation||
Once an incident was received by SIGNL4, a tag can be added to it. This allows you to keep track of the items that were polled by SIGNL4 inside Sentinel. You can leave this field empty.
Once ready, click the "Create" button.
The connector attempts to initialize and to read security events from the according API. If that is successful it will be in an OK status. Otherwise you may see an error status with results, e.g. indicating that the credentials did not work when accessing the API.
Which incidents are retrieved?
In general, only the following Sentinel incidents matching all the below criteria are retrieved by the connector:
- Must be in the status "New"
- Must not be older than 24 hours (created date)
- Must have one of the configured severities
Incidents matching the criteria above are polled and are available as an event in SIGNL4 which creates Signls for your teams as configured in your SIGNL4 tenant.