Integrating Microsoft Sentinel

Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution for proactive threat detection, investigation, and response. You can integrate Microsoft Sentinel with the Delinea Platform by using webhooks.

Prerequisites

Ensure that you have all the required accounts and utilities before starting the integration:

• Admin account on the Delinea Platform

• Azure subscription

• Access to the Microsoft Sentinel portal

• Log Analytics workspace

Configuring Microsoft Sentinel

To configure Microsoft Azure Sentinel, create a Logic app and set up Sentinel Log Analytics.

Creating a Logic App in Sentinel

To create a logic app:

1. Log in to the Sentinel dashboard.

2. In the services section, select Create a resource.

   
   

3. Search for and select the Logic App.

4. Select Create.

   

5. Fill in the required information for your Logic App and select Review+Create.

   

   Once the deployment is done, your Logic App is created in Sentinel.

Setting up Sentinel Log Analytics

To set up Sentinel log analytics:

1. In the Logic App, go to Workflows and select Add to add a new workflow.
   
   

2. The Designer page opens. Select Add.

3. Enter the Workflow Name and select Stateless as the state type.
   
   

4. Select Create.

5. On the designer page, select Add trigger.
   
   
   

6. Search for "Http" and select When an HTTP request is received. You will use this trigger later when setting up a webhook on the Delinea Platform.

   
   

7. Click Use sample payload to generate schema and paste the sample into the field.
   

   Copy

   Sample Payload

   {
       "AuditEventMessageId": "87b928df-ccc5-46ed-8cc5-b2e88866a2b5",
       "TenantId": "7968fc7c-9205-4bd8-ad41-1432ffb8f7d3",
       "Service": {
           "Type": "permission"
       },
       "SessionId": "8194b39f-f7b6-4fb7-9876-2063ac5d3f00",
       "Source": {
           "Host": {
               "Network": {
                   "AddressType": "ipaddress",
                   "IpAddress": "0.0.0.0"
               }
           }
       },
       "Actor": {
           "Id": "9c52b7d1-863d-4de6-87ac-cf6c828fdd9f",
           "PlatformId": "9c52b7d1-863d-4de6-87ac-cf6c828fdd9f",
           "IdType": "platformid",
           "Type": "user",
           "Name": "user@tenant"
       },
       "Target": {
           "Host": {},
           "Id": "a08d7900-e5fd-49e4-bf29-f711b5d83825",
           "IdType": "platformid",
           "Type": "role",
           "Name": "Platform Admin"
       },
       "Action": {
           "Name": "Delinea.Permission.Data.Models.AssignedRole_Deleted",
           "Verb": "AssignedRole_Deleted",
           "TargetType": "Delinea.Permission.Data.Models"
       },
       "EventDateTime": "2023-09-21T14:13:57.7922228+00:00",
       "ProcessedTime": "0001-01-01T00:00:00+00:00",
       "Notes": "Role Platform Admin Deleted from RoleMembership a08d7900-e5fd-49e4-bf29-f711b5d83825.\n",
       "Tags": {},
       "AdditionalAttributes": {},
       "Level": 0,
       "UniqueConsumableId": "76ce017a-8538-453f-81d2-8d5b03816144",
       "Version": 0,
       "Redelivered": false,
       "RelayEvenIfExpired": false,
       "ParentCorrelationId": "00000000-0000-0000-0000-000000000000",
       "CorrelationId": "00000000-0000-0000-0000-000000000000",
       "TenantSecondaryId": "00000000-0000-0000-0000-000000000000",
       "ForceCompress": false
   }

   You can also take the schema payload from the Marketplace >Test webhook Request body.
   
   

8. Select Save.
   
   

9. Add a new action.
   
   

10. Search for "Log Analytics" and select Send Data.
    
    

11. Add the body: click Add in "Send data action" under Parameters.

12. Click in the JSON Request Body field.
    
    

13. In the dialog, select the Dynamic content tab.
    
    

14. In the search field, specify "body" and click Add.
    
    

15. In Custom Log Name, provide a name for the table (the suggested name is MarketPlaceEvent).
    
    

16. Connect to your Log Analytics workspace by providing the Workspace ID and Shared Key.

17. Select Save.

To get the Workspace ID and Shared Key:

1. In the Sentinel portal, open your workspace by navigating to Home > Microsoft Sentinel.
   
   

2. In the left navigation, select Settings.
   
   

3. Under Settings, select Agents.
   

4. Click the arrow icon to expand the Log Analytics agent instructions.
   
   

Integrating Webhooks and Microsoft Sentinel

To integrate webhooks and Microsoft Sentinel, follow these steps.

1. Log in to the Delinea Platform.

2. From the left navigation menu, select Settings, then Webhooks.

3. On the Webhooks page, click Create Webhook.
   
   

4. In the Endpoint URL field, enter the HTTP request URL—an HTTP trigger configured in the Logic App.
   
   

5. Select Save.

6. Verify the configured webhook on the Delinea Platform (see Testing a webhook).

Verifying Logs for the Microsoft Sentinel Webhook

After you have set up the integration, we recommend verifying that the Delinea Platform events are being collected for Azure Sentinel.

1. Log in to the Delinea Platform and perform an activity that will generate a new audit log.

2. Open your Logic App.

3. Select the activity log and verify that logs from the Delinea Platform are triggered automatically.

4. Go to the Sentinel dashboard in the Microsoft Sentinel Portal.

5. From the left navigation menu, select Logs.

   

6. In the query editor, enter the following KQL query:

   MarketPlaceEvents_CL
| order by TimeGenerated desc
| take 10

7. Verify that the log is displayed.