Skip to main content

Penfield and Microsoft Sentinel integration

In order to pull incident data from Microsoft Sentinel, sentinel integration need to be setup with penfield product. This document provide the detailed view of the integration setup.

Microsoft Sentinel account setup

Click on New Registration

  1. Login to https://portal.azure.com/#home

  2. Navigate to Azure Active Directory

  3. Navigate to App Registration

  4. Click on New Registration

  5. Please fill out the form and then click on Register. Please fill out the form with the following values

    • Choose appropriate Name as required
    • Under Supported account types, select the Accounts in this organizational directory only (<Company Name> only - Single tenant) option.
    • Redirect URI is not needed.

  6. Copy the Application (client) ID and the Directory (tenant) ID

  7. Navigate to Certificates & Secret, then click on New client secret

  8. Fill in the details for the fields in the form that is shown in the side panel. Click Add

  9. Copy the secret value

  10. Assign a role to the registered app.

    • In the Azure portal, Go to Subscriptions, select the subscription in which sentinel is setup → Access control (IAM)
    • Click Add >> Add role Assignment
    • Select the Microsoft Sentinel Responder role , Go to Members.
    • In the Assign access to choose User, group, or service principal and in the members on the right choose the app that was created previously in step 5 and click Review+ assign.

  11. At this step account setup is completed. Please note down following values:

    Here is the list of values that will be needed:

    • tenantID - Directory (tenant) ID (Step 6)
    • clientID - Application (client) ID (Step 6)
    • clientSecret - Step 9
    • azure subscription ID where sentinel is setup
    • sentinel workspace name
    • sentinel resource group name
info

If you are deploying penfield.ai product as a self-service please proceed with next steps, otherwise send these values to Penfield team secure means like onetimesecret or other secret management tool you use.

Update Penfield-app configuration

  1. Following are the required values in order to enable this integration. If you have multiple sentinel instances in different subscriptions you will need following values for each sentinel instance. Please keep them handy before you proceed further:

    NameDescription
    nameName of organization corresponds to Sentinel instance, Avoid spaces and special characters.
    subscription_idSubscription id of Sentinel instance.
    workspace_nameWorkspace name of Sentinel instance.
    resource_group_nameResource group name of Sentinel instance.
    tenant_idDirectory (tenant) ID of app that has access to Sentinel instance.
    client_idApplication (client) ID of app that has access to Sentinel instance.
    client_secretClient secret of app that has access to Sentinel instance.

  2. Prepare the value of SENTINEL_INSTANCES. String value is constructed in this format, replace VALUE from the above values accordingly in the below string and then encode into base64.

    [{"name": "VALUE(name corresponds to your organization)", "subscription_id": "VALUE", "workspace_name": "VALUE","resource_group_name": "VALUE", "tenant_id": "VALUE", "client_id": "VALUE", "client_secret": "VALUE"}]
    • if you have multiple sentinel instances in different subscriptions, you need to do sentinal account setup in each of the subscription (follow all the above 11 steps for each account) and secret SENTINEL_INSTANCES value will be like: 
      [{"name": "VALUE1(name corresponds to your organization)", "subscription_id": "VALUE1", "workspace_name": "VALUE1","resource_group_name": "VALUE1", "tenant_id": "VALUE1", "client_id": "VALUE1", "client_secret": "VALUE1"},{"name": "VALUE2(name corresponds to your organization)", "subscription_id": "VALUE2", "workspace_name": "VALUE2","resource_group_name": "VALUE2", "tenant_id": "VALUE2", "client_id": "VALUE2", "client_secret": "VALUE2"}]

  3. Make sure you set the kubectl context to the right cluster. You can check the current context with kubectl config current-context and set the context with kubectl config use-context <context-name>

  4. Update the helm chart values.yaml file to enable Sentinel integration, Find the following block and make sure the following service is enabled:

    enable Sentinel integration
    # Enable Sentinel integration
     sentinel-inbound-integration:
       enabled: true
       incidentsPull:
         enabled: true
       processing:
         enabled: true

  5. Update the penfield-secrets secret:

    You can either update penfield-secrets using ArgoCD or kubectl directly patch the secret, depending on how you have initially deployed it.

    1. Update using ArgoCD: Added the below value to the existing penfield-secrets secret, You may need to encrypt the secret before updating if you are using secret manager. Do not forget to replace the VALUE with the ones from the previous step.

      update penfield-secrets
         data:
            SENTINEL_INSTANCES: [{"name": "VALUE(name corresponds to your organization)", "subscription_id": "VALUE", "workspace_name": "VALUE","resource_group_name": "VALUE", "tenant_id": "VALUE", "client_id": "VALUE", "client_secret": "VALUE"}]

    2. Update using kubectl:

      update penfield-secrets
         # Set your environment variables, update the value from the previous step
        		 
         export NAME=REPLACE_VALUE
         export SUBSCRIPTION_ID=REPLACE_VALUE
         export WORKSPACE_NAME=REPLACE_VALUE
         export RESOURCE_GROUP_NAME=REPLACE_VALUE
         export TENANT_ID=REPLACE_VALUE
         export CLIENT_ID=REPLACE_VALUE
         export CLIENT_SECRET=REPLACE_VALUE

         # Patch the secret, run the below command in your terminal

         kubectl patch secret penfield-secrets -n penfield-app -p='{"stringData":{"SENTINEL_INSTANCES": "[{\"name\": \"'"$NAME"'\", \"subscription_id\": \"'"$SUBSCRIPTION_ID"'\", \"workspace_name\": \"'"$WORKSPACE_NAME"'\", \"resource_group_name\": \"'"$RESOURCE_GROUP_NAME"'\", \"tenant_id\": \"'"$TENANT_ID"'\", \"client_id\": \"'"$CLIENT_ID"'\", \"client_secret\": \"'"$CLIENT_SECRET"'\"]}]"}}'

  6. Update the deployment:

    If you are using ArgoCD, you can update the deployment by merging the changes to your version control.

    If you are using helm, you can update the deployment by running the following command:

    helm upgrade \
       --install penfield-app penfieldai/penfieldai \
       --namespace penfield-app \
       --values penfield-values.yaml