# Microsoft Sentinel ## Microsoft Sentinel {% hint style="success" %} Microsoft Sentinel is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis. Note that this is different from Microsoft 365/Microsoft Defender. {% endhint %} The Dropzone platform integrates with the [Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/) security SIEM. Many customers ingest other alert sources into Microsoft Sentinel (e.g. IDPs) and integrate Dropzone into Microsoft Sentinel rather than the source systems. ### Integration Overview To enable these integrations you will perform the following actions: * Register a new application in Microsoft Entra Admin * Locate your Client ID, Tenant ID, and create a Client Secret * Assign necessary API permissions to the application * Assign roles to the application in Microsoft Sentinel * Locate your Workspace Name and Workspace ID See the [Microsoft Integrations](/integrations/data/ms_data.md) page for instructions on how to register a new application, locate your Client ID and Tenant ID, and to create a Client Secret. ### Set Application Permissions General instructions on how to assign API permissions to the application can be found in the [Microsoft Integrations](/integrations/data/ms_data.md) page. Enabling MS Sentinel will require the following APIs and permissions: | API | Permissions | | --------------- | ------------------------- | | Log Analytics | `Data.Read` | | Microsoft Graph | `SecurityEvents.Read.All` | To add the Log Analytics API, do the following: * In the API permissions page, click "Add a permission" * Navigate to "APIs my organization uses" * In the search bar, input "Log Analytics API," and select it

Select Log Analytics API

* Click "Application permissions" * In the search bar, input "Data.Read" and select it. Click "Add permissions"

Add the Data.Read permission

* Once back in the Application API permissions page, click "Grant admin consent for \[mycompany.net]"

Grant admin consent

* Click "Yes"

Grant admin consent

If your integration requires access to security alerts via Microsoft Graph, do the following: * In the API permissions page, click "Add a permission" * Under the Microsoft API header, select "Microsoft Graph"

Select Microsoft Graph

* Click "Application permissions" * Check the permission "SecurityEvents.Read.All," then click "Add permissions"

Add the SecurityEvents.Read.All permission

* Once back in the Application API permissions page, click "Grant admin consent for \[mycompany.net]"

Grant admin consent

* Click "Yes"

Grant admin consent

### Assign Roles in Microsoft Sentinel To allow the application to access Microsoft Sentinel data, you must assign the application roles based on your desired access level. * Navigate to [your Azure portal](https://portal.azure.com) * Under the "Azure Services" heading, navigate to Microsoft Sentinel

Navigate to Microsoft Sentinel

* Select the Log Analytics Workspace you wish to analyze

Select your workspace

* Navigate to Configuration > Settings

Navigate to Settings

* Click on "Workspace settings"

Click on Workspace settings

* Navigate to "Access control (IAM)"

Click on Access control (IAM)

* Select Add > Add role assignment

Add a role assignment

* Select a [role](https://learn.microsoft.com/en-us/azure/sentinel/roles) based on your desired access level: * Read-only access: Log Analytics Reader or Microsoft Sentinel Reader * Read and write access: Microsoft Sentinel Responder or Microsoft Sentinel Contributor {% hint style="info" %} If you wish to enable Ticket Sync, you must assign the application a Read and write access role. {% endhint %}

Select your role

{% hint style="info" %} For the purpose of this documentation, the Log Analytics Reader role has been selected. {% endhint %} * Once you have selected your role, click "Members" * Next to "Assign access to," select "User, group, or service principal" * Click "Select members"

Click Select members

* Search for your application (such as Dropzone AI Sentinel Integration) and click "Select"

Assign members

* In the bottom left hand corner, click "Review + assign" twice

Click Review + assign

### Workspace IDs To obtain your Workspace Name and Workspace ID, do the following: * Navigate to [your Azure portal](https://portal.azure.com) * Under the "Azure Services" heading, navigate to Microsoft Sentinel

Navigate to Microsoft Sentinel

* Select the Workspace you wish to analyze

Select your workspace

* In the left sidebar, navigate to Configuration > Settings

Navigate to settings

* Click on "Workspace Settings"

Navigate to settings

* Copy the Workspace ID, Subscription ID, and Resource Group shown for use later in the Dropzone UI

Copy the integration details

## Enable Microsoft Sentinel To enable the Data Source integration, you will need the following information: | Dropzone Field | Source | | --------------- | -------------------------------------- | | Client ID | The Application ID copied earlier | | Tenant ID | The Directory ID copied earlier | | Client Secret | The Client Secret Value copied earlier | | Workspace ID | The Workspace ID copied earlier | | Subscription ID | The Subscription ID copied earlier | | Resource Group | The Resource group copied earlier | To enable the Data Source integration, do the following: * Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app * In the bottom right corner, navigate to Settings > Integrations

Integrations Dropdown

* Click "Available"

Click Available

* In the Search bar, search Microsoft Sentinel, then click "Configure"

The Microsoft Sentinel Tile

* Under the Data Source heading, input the Client ID, Tenant ID, and Client Secret

The Microsoft Sentinel Data Integration pt 1

* Under the Workspaces heading, click "Add item." Input the details of your workspace, then click "Add item" again

The Microsoft Sentinel Data Integration pt 2

* Click "Test & Save" to finish If you have any errors engage your Dropzone AI support representative. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.dropzone.ai/integrations/data/ms_data/mssentinel_data.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.