Skip to main content

Penfield and Microsoft Sentinel integration

In order to pull incident data from Microsoft Sentinel, sentinel integration need to be setup with penfield product. This document provide the detailed view of the integration setup.

Microsoft Sentinel account setup

Click on New Registration

  1. Login to https://portal.azure.com/#home

  2. Navigate to Azure Active Directory

  3. Navigate to App Registration

  4. Click on New Registration

  5. Please fill out the form and then click on Register. Please fill out the form with the following values

    • Choose appropriate Name as required
    • Under Supported account types, select the Accounts in this organizational directory only (<Company Name> only - Single tenant) option.
    • Redirect URI is not needed.
  6. Copy the Application (client) ID and the Directory (tenant) ID

  7. Navigate to Certificates & Secret, then click on New client secret

  8. Fill in the details for the fields in the form that is shown in the side panel. Click Add

  9. Copy the secret value

  10. Assign a role to the registered app.

    • In the Azure portal, Go to Subscriptions, select the subscription in which sentinel is setup → Access control (IAM)
    • Click Add >> Add role Assignment
    • Select the Microsoft Sentinel Responder role , Go to Members.
    • In the Assign access to choose User, group, or service principal and in the members on the right choose the app that was created previously in step 5 and click Review+ assign.
  11. At this step account setup is completed. Please note down following values:

    Here is the list of values that will be needed:

    • tenantID - Directory (tenant) ID (Step 6)
    • clientID - Application (client) ID (Step 6)
    • clientSecret - Step 9
    • azure subscription ID where sentinel is setup
    • sentinel workspace name
    • sentinel resource group name
info

If you are deploying penfield.ai product as a self-service please proceed with next steps, otherwise send these values to Penfield team secure means like onetimesecret or other secret management tool you use.

Update Penfield-app configuration

  1. Following are the required values in order to enable this integration. If you have multiple sentinel instances in different subscriptions you will need following values for each sentinel instance. Please keep them handy before you proceed further:

    NameDescription
    nameName of organization corresponds to Sentinel instance, Avoid spaces and special characters.
    subscription_idSubscription id of Sentinel instance.
    workspace_nameWorkspace name of Sentinel instance.
    resource_group_nameResource group name of Sentinel instance.
    tenant_idDirectory (tenant) ID of app that has access to Sentinel instance.
    client_idApplication (client) ID of app that has access to Sentinel instance.
    client_secretClient secret of app that has access to Sentinel instance.
  2. Prepare the value of SENTINEL_INSTANCES. String value is constructed in this format, replace VALUE from the above values accordingly in the below string and then encode into base64.

    [{"name": "VALUE(name corresponds to your organization)", "subscription_id": "VALUE", "workspace_name": "VALUE","resource_group_name": "VALUE", "tenant_id": "VALUE", "client_id": "VALUE", "client_secret": "VALUE"}]
    • if you have multiple sentinel instances in different subscriptions, you need to do sentinal account setup in each of the subscription (follow all the above 11 steps for each account) and secret SENTINEL_INSTANCES value will be like:
      [{"name": "VALUE1(name corresponds to your organization)", "subscription_id": "VALUE1", "workspace_name": "VALUE1","resource_group_name": "VALUE1", "tenant_id": "VALUE1", "client_id": "VALUE1", "client_secret": "VALUE1"},{"name": "VALUE2(name corresponds to your organization)", "subscription_id": "VALUE2", "workspace_name": "VALUE2","resource_group_name": "VALUE2", "tenant_id": "VALUE2", "client_id": "VALUE2", "client_secret": "VALUE2"}]
  3. To enable sentinel integration in penfield-app, run the below command from the root of Github repo that you have cloned previously and follow the instructions.

    enable integration
    ./run.sh -i