Overview
To view Microsoft Sentinel logs through the Logsign Unified SecOps Platform product, you will need to perform some configurations.
First, enter the link you have for Microsoft Sentinel. You are expected to be an authorized user who can access the management panel and take actions.
Prerequisites
- Logsign Unified SecOps Platform 6.4.31+ versions support this integration.
Configure On Microsoft Sentinel
We need to access the API Keys field from the area where our name is written in the upper right corner of the application that we log in with the administrator account.
First, we switch to the Microsoft Entra ID field from the menu on the left or from the search bar at the top.
Click on the Add button on the screen that appears and select App registration from the options that appear.
On the next screen, you can type the name we will give to the application and select the Account Type option as shown.
After registering, you can see application specific information.
The client ID and tenant ID found here will be required during the resource addition phase.
Then click on Certificates & secrets in Manage under Overview.
At this stage we need to create a client secret.
Secret ID will be required at the source addition stage.
Copy the Value of the client secret immediately and store it securely.
Then we need to move to the API permissions section.
Then on this screen we need to click on APIs my organization, select Log Analytics and authorize it.
Then we need to click on Grant admin consent and open your authorization.
Then we start entering the data we receive on the source addition screen.
We need to go to the Log Analystic tab and create a workspace or select an existing environment.
Then the workspace ID written here will also be useful for adding resources.
After these operations, we need to authorize the application we created. For this process, we click on the Access control (IAM) tab in the left menu and enter the Add role assignment field by clicking Add from the top. In the list that comes up, select Log Analytics Reader and click next.
In the window that appears, select the User, group, or service principal tab and click Select Members to search for and select our previously saved application.
After registering, we authorize our application. Then we can proceed to the source addition phase.
Log into Logsign Unified SecOps Platform and then click on the Settings option in the top menu. In the window that opens, click on ‘Data Collection’ on the left side to view the sources you have added to Logsign Unified SecOps Platform. Click on the ’ + Device ’ option on the right side to begin the process of adding a source.
We enter the data we have collected on the add source page, select Log Start Date and save our source. The older the Log Start Date is entered, the longer it will take to collect the logs and you will be able to get the current logs after a while.
The fields with the requested information are indicated below.
Client ID: App registration field
Client Secret Value: App registration > Certificate & Secret field
Scope: https://api.loganalytics.io/.default
Workspace ID: Home > Log Analystics workspaces
Tenant ID: App registration field