Integrating Microsoft Sentinel

Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution for proactive threat detection, investigation, and response. You can integrate Microsoft Sentinel with the Delinea Platform by using webhooks.

Prerequisites

Ensure that you have all the required accounts and utilities before starting the integration:

• Admin account on the Delinea Platform

• Azure subscription

• Access to the Microsoft Sentinel portal

• Log Analytics workspace

This integration does not rely on the deprecated Log Analytics Agent, which was retired on August 31, 2024. Instead, it leverages HTTP requests to trigger Azure Logic Apps workflows that generate custom log entries or alerts in Azure Sentinel. This integration does not depend on either the Log Analytics Agent or the Azure Monitor Agent (AMA), ensuring a modern, agentless solution.

Configuring Microsoft Sentinel

To configure Microsoft Azure Sentinel, create a Logic app and set up Sentinel Log Analytics.

Creating a Logic App in Sentinel

To create a logic app:

1. Log in to the Azure portal dashboard.

2. In the services section, select Create a resource.
   
   

3. Enter Logic App in the search area, and then select Logic App.
   
   

4. Select Create.

5. Select the Workflow Service Plan check box.
   
   

6. Click Select.

7. Fill in the required information for your Logic App and select Review + Create.

8. Once the deployment is done, your Logic App is created in Sentinel.

Setting up Sentinel Log Analytics

To set up Sentinel log analytics:

1. In the Logic App, go to Workflows and select Add to add a new workflow. The Create Workflow window opens.
   

2. Enter the Workflow Name and select Stateless as the state type.
   
   

3. Select Create. Note: Depending on screen resolution, the Create button might be hidden at the bottom of the app tile.

4. Open the newly-created workflow.

5. Navigate to Tools > Designer.
   
   

6. On the Designer page, select the plus sign, then select Add trigger.
   

7. Search for "HTTP" and select When an HTTP request is received in the Request section. You will use this trigger later when setting up a webhook on the Delinea Platform.

   
   

8. Select the Use sample payload to generate schema hyperlink.
   
   

9. Paste the following code into the field. (Alternatively, you can retrieve the schema payload from the Marketplace >Test webhook Request body) :

10. Copy

    { 
    
      "AuditEventMessageId": "87b928df-ccc5-46ed-8cc5-b2e88866a2b5", 
    
      "TenantId": "7968fc7c-9205-4bd8-ad41-1432ffb8f7d3", 
    
      ... 
    
      "ForceCompress": false 
    
    } 

11. Select Done , then select Save.
    

12. Select the plus sign and then select Add an action.
    
    

13. Search for "Log Analytics" and select Send Data. The Create a connection page opens.
    

14. Provide the Workspace ID and Shared Key. Where to Find Your Workspace ID and Key:

    1. In the Sentinel portal, go to Home > Microsoft Sentinel.

    2. Navigate to Settings > Workspace settings > Settings > Agents.

    3. Click the arrow icon to expand the Log Analytics agent instructions.

15. Copy your Workspace ID and either the Primary Key or Secondary Key.

16. Paste the Workspace ID into the Create new connection page.

17. Select Create New.

18. The Send Data page opens. Under the Parameters tab, select the JSON Request Body field, and select the second option.
    
    

19. Select the Dynamic content tab and enter 'Body' in the Search field.
    
    

20. Select the body then select Add.
    
    

21. Provide a new name for the Custom Log Name (e.g. MarketPlace Event)
    
    

22. Select Save.

Integrating Webhooks and Microsoft Sentinel

To integrate webhooks and Microsoft Sentinel, follow these steps.

1. Log in to the Delinea Platform.

2. From the left navigation menu, select Settings, then Webhooks.

3. On the Webhooks page, click Create Webhook.
   
   

4. In the Endpoint URL field, enter the HTTP request URL—an HTTP trigger configured in the Logic App.
   
   

5. Select Save.

6. Verify the configured webhook on the Delinea Platform (see Testing a webhook).

Verifying Logs for the Microsoft Sentinel Webhook

After you have set up the integration, we recommend verifying that the Delinea Platform events are being collected for Azure Sentinel.

1. Log in to the Delinea Platform and perform an activity that will generate a new audit log.

2. Open your Logic App.

3. Select the activity log and verify that logs from the Delinea Platform are triggered automatically.

4. Go to the Sentinel dashboard in the Microsoft Sentinel Portal.

5. From the left navigation menu, select Logs.

   

6. In the query editor, enter the following KQL query:

   MarketPlaceEvents_CL
| order by TimeGenerated desc
| take 10

7. Verify that the log is displayed.