Integrating Microsoft Sentinel

Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution for proactive threat detection, investigation, and response. You can integrate Microsoft Sentinel with the Delinea Platform by using webhooks.

Prerequisites

Ensure you have all the required accounts and utilities before starting the integration:

  • Admin account on the Delinea Platform

  • Azure subscription

  • Access to the Microsoft Sentinel portal

  • Log Analytics workspace

Configuring Microsoft Sentinel

To configure Microsoft Azure Sentinel, create a Logic app and set up Sentinel Log Analytics.

Creating a Logic App in Sentinel

To create a logic app:

  1. Log in to the Sentinel dashboard.

  2. In the services section, click Create a resource.


  3. Search for the Logic App and select it.

  4. Click Create.

  5. Fill in the required information for your Logic App and click Review+Create.

    Once the deployment is done, your Logic App is created in Sentinel.

Setting up Sentinel Log Analytics

To set up Sentinel log analytics:

  1. In the Logic App, under Development Tools, click Logic App Designer.

  2. In the designer, click Add trigger.

  3. In the Add trigger window, search for "HTTP" and select "When an HTTP request is received." You will use this trigger when setting up a webhook on the Delinea Platform later.


  4. Click Use sample payload to generate schema and paste the sample into the field.

    Copy

    Sample Payload

    {
        "AuditEventMessageId": "87b928df-ccc5-46ed-8cc5-b2e88866a2b5",
        "TenantId": "7968fc7c-9205-4bd8-ad41-1432ffb8f7d3",
        "Service": {
            "Type": "permission"
        },
        "SessionId": "8194b39f-f7b6-4fb7-9876-2063ac5d3f00",
        "Source": {
            "Host": {
                "Network": {
                    "AddressType": "ipaddress",
                    "IpAddress": "0.0.0.0"
                }
            }
        },
        "Actor": {
            "Id": "9c52b7d1-863d-4de6-87ac-cf6c828fdd9f",
            "PlatformId": "9c52b7d1-863d-4de6-87ac-cf6c828fdd9f",
            "IdType": "platformid",
            "Type": "user",
            "Name": "user@tenant"
        },
        "Target": {
            "Host": {},
            "Id": "a08d7900-e5fd-49e4-bf29-f711b5d83825",
            "IdType": "platformid",
            "Type": "role",
            "Name": "Platform Admin"
        },
        "Action": {
            "Name": "Delinea.Permission.Data.Models.AssignedRole_Deleted",
            "Verb": "AssignedRole_Deleted",
            "TargetType": "Delinea.Permission.Data.Models"
        },
        "EventDateTime": "2023-09-21T14:13:57.7922228+00:00",
        "ProcessedTime": "0001-01-01T00:00:00+00:00",
        "Notes": "Role Platform Admin Deleted from RoleMembership a08d7900-e5fd-49e4-bf29-f711b5d83825.\n",
        "Tags": {},
        "AdditionalAttributes": {},
        "Level": 0,
        "UniqueConsumableId": "76ce017a-8538-453f-81d2-8d5b03816144",
        "Version": 0,
        "Redelivered": false,
        "RelayEvenIfExpired": false,
        "ParentCorrelationId": "00000000-0000-0000-0000-000000000000",
        "CorrelationId": "00000000-0000-0000-0000-000000000000",
        "TenantSecondaryId": "00000000-0000-0000-0000-000000000000",
        "ForceCompress": false
    }

    You can also take the schema payload from the Marketplace >Test webhook Request body.

  5. Add a new action: search for "Sentinel Log Analytics" and select "Send Data."

  6. Add the body: click Add in "Send data action" under Parameters.

  7. Click in JSON Request Body.

  8. In the dialog, select the Dynamic content tab.

  9. In the search field, specify "body" and click Add.

  10. In Custom Log Name, provide a name for the table (the suggested name is MarketPlaceEvent).



  11. Connect to your Log Analytics workspace by providing the Workspace ID and Shared Key.

  12. Click Save.

To get the Workspace ID and Shared Key:

  1. In the Sentinel portal, open your workspace.

  2. In Settings, click Agents.

  3. Click the arrow icon to expand the Log Analytics agent instructions.

Integrating Webhooks and Microsoft Sentinel

To integrate webhooks and Microsoft Sentinel, follow these steps.

  1. Log in to the Delinea Platform.

  2. In the left navigation, click Settings, then General Setup.

  3. On the Webhooks page, click Create Webhook.

  4. In the Destination URL field, enter the HTTP request URL—an HTTP trigger configured in the Logic App.

  5. Click Save.

  6. Verify the configured webhook on the Delinea Platform. For instructions, see Testing a webhook.

Verifying Logs for the Microsoft Sentinel Webhook

After you have set the integration, we recommend you verify that the Delinea Platform events are being collected for Azure Sentinel.

  1. Log in to the Delinea Platform and perform an activity that will generate a new audit log.

  2. Open your Logic App.

  3. Click on the activity log and verify that logs from the Delinea Platform are triggered automatically.

  4. Go to the Sentinel dashboard in the Microsoft Sentinel Portal.

  5. In the left menu, click Logs.

  6. Enter the following KQL query in the query editor:

    MarketPlaceEvents_CL | take10

  7. Verify that the log is displayed.