# Azure Sentinel SIEM
## Overview
Oort’s platform can tie into existing Sentinel workflows often used by Security Teams. This document will walk you through the process of setting up the App Registration inside of Azure AD.
SIEM Integration - Azure Sentinel
For more information, see this short overview video -
{% embed url="" %}
## Azure Sentinel Integration - High-level Steps
This article follows the Microsoft Azure Sentinel tutorial - [Send data to Azure Monitor Logs by using a REST API (Azure Portal)](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal?source=recommendations#configure-application).
The following items will be needed to complete the integration inside of the Oort Console:
* [ ] Name / Description - (What Azure Sentinel instance are you connecting to?)
* [ ] Directory (tenant) ID
* [ ] Application (client) ID
* [ ] Application (client) Secret
* [ ] Logs ingestion Endpoint URI
* [ ] Custom Log Table Name
* [ ] Data Collection Rule Immutable ID
The sections below go into more detail on each of the steps.
## Azure Sentinel Configuration
1. Configure Azure application registration to authenticate against the API, [follow the instructions](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal?source=recommendations#configure-application). \
\
Note the **Application (client) ID**, **Directory (tenant) ID** and **secret value** for further setup.
2. Create data collection endpoint, [follow the instructions](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal?source=recommendations#create-data-collection-endpoint). \
\
Note the **Logs ingestion URI** for further setup.
3. Add a custom log table, [follow the instructions](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal?source=recommendations#create-new-table-in-log-analytics-workspace). Note the **table name** for further setup and be aware that there is `_CL` added automatically to the table name. We will need the full name with the `_CL` suffix.
4. After clicking **Next**, the next step is to parse and filter a sample data set. In the Schema and transformation screen, review the [Microsoft instructions](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal?source=recommendations#parse-and-filter-sample-data) as a ***reference*** and then complete the process **using the data and steps below**. \
\ **Do not use the sample data and transform code provided in the Microsoft article. Use the the steps below.** \
\
1. Save content of this block in a local file or download the sample\_data file linked below. NOTE - this step is done outside of the Azure console.
```
[{
"activity": "END_USER__CHECK_FAILED",
"targetResourceIds": {
"checkId": "no-mfa",
"login": "ciuser-noreply+cnt-dev-1661195950711@oort.io",
"userIds": ["28a8cf1a-9ff8-457c-8049-1dee4caa3177"]
},
"lastModified": "2022-11-02T12:28:07.850Z"
}]
```
{% file src="" %}
2. Click Browse for files and use the content of the file from the previous step for that purpose.
3. Data from the sample file is displayed with a warning that a `TimeGenerated` is not in the data. \
\
\
Click **Transformation editor** to open the transformation and paste content of the below block (note that `source` is already present in the editor UI):
```
source
| extend TimeGenerated = todatetime(['lastModified'])
| project-rename activityDate = lastModified
```
\
4. Click **Run** to view the results, click **Apply** to save the transformation, **Next** to get to the Review tab, and click **Create** to save the custom log.\
\
5. To collect information from data collection rule (DCR), [follow the instructions](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal?source=recommendations#collect-information-from-the-dcr). \
\
Note **`immutableId`** for further setup.
6. Next to assign permissions to the DCR, [follow the instructions](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal?source=recommendations#assign-permissions-to-the-dcr). \
\
\
In the end, you will see your App Registration as a Monitoring Metrics Publisher under the Role Assignments tab. \
### Azure Configuration Summary
After the setup above, you will have the following components in your Azure tenant. These objects will be used to setup a corresponding Sentinel SIEM integration in Oort:
* App registration (client ID, client secret, tenant ID)
* Logs Ingestion Endpoint URI from the data collection endpoint (DCE) to receive data over HTTP
* Data collection rule (DCR) immutable Id
* Custom table name in Log Analytics workspace (including the \_CL suffix)
## Oort Tenant Configuration for Sentinel
Within your Oort console, follow these steps to configure your Sentinel integration.
1. On the Integrations page, click Add Integration and scroll to the bottom of the page to select Azure Sentinel. \
2. Enter the information collected as shown below - \
1. Name - for display purposes only
2. Description (optional)
3. Azure directory (tenant) ID
4. App (client) ID
5. App (client) secret
6. Logs Ingestion Endpoint URI - this is a property of the data collection endpoint (DCE) created above
7. Custom log table name
8. DCR Immutable ID - this is found in the **JSON View** of the DCR
3. Click Save
4. On the Integrations page, click the 3-dot menu for the Sentinel integration and select Test Connectivity. \
## Viewing your Oort logs in Azure Sentinel
By default, your Oort tenant will send **all** new Check failures for all checks to your Azure Sentinel custom table once every 24 hours.
To calculate any new check failures since the last data collection and analysis, you may want to do the following:
1. From the Integrations page, manually run collection from your Azure data integration using the **Collect Now** option.\
2. After that completes, from the Checks page, select **Run Checks Now**\
To view your logs in Azure Sentinel, do the following -
1. Navigate to your Azure Sentinel instance that contains the configuration you created for this integration.
2. Select **Logs** in the left nav pane.
3. Under **Queries**, run a new query with the name of the custom table created for this purpose. \
4. The Results will show the most recent check failures from your Oort tenant.
5. Expand individual rows of the results table to see details for each item. \
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.oort.io/integrations/azure-sentinel-siem-integration.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
