Microsoft Sentinel
Last updated
Was this helpful?
Last updated
Was this helpful?
This is a combined document for enabling the Dropzone AI Data Source and Alert Source for Microsoft Sentinel. Note that this is different from Microsoft 365/Microsoft Defender.
Microsoft Sentinel is an SIEM integration. SIEM integrations are used to perform analysis of any SIEM generated alerts, and/or to use generated data as part of investigation analysis.
The Dropzone platform integrates with the security SIEM. Many customers ingest other alert sources into Microsoft Sentinel (e.g. IDPs) and integrate Dropzone into Microsoft Sentinel rather than the source systems.
To enable these integrations you will perform the following actions:
Register a new application in Microsoft Entra Admin
Locate your Client ID, Tenant ID, and create a Client Secret
Assign necessary API permissions to the application
Assign roles to the application in Microsoft Sentinel
Locate your Workspace Name and Workspace ID
See the page for instructions on how to register a new application, locate your Client ID and Tenant ID, and to create a Client Secret.
General instructions on how to assign API permissions to the application can be found in the page.
Enabling MS Sentinel will require the following APIs and permissions:
Log Analytics
Data.Read
Microsoft Graph
SecurityEvents.Read.All
To add the Log Analytics API, do the following:
In the API permissions page, click "Add a permission"
Navigate to "APIs my organization uses"
In the search bar, input "Log Analytics API," and select it
Click "Application permissions"
In the search bar, input "Data.Read" and select it. Click "Add permissions"
Once back in the Application API permissions page, click "Grant admin consent for [mycompany.net]"
Click "Yes"
If your integration requires access to security alerts via Microsoft Graph, do the following:
In the API permissions page, click "Add a permission"
Under the Microsoft API header, select "Microsoft Graph"
Click "Application permissions"
Check the permission "SecurityEvents.Read.All," then click "Add permissions"
Once back in the Application API permissions page, click "Grant admin consent for [mycompany.net]"
Click "Yes"
To allow the application to access Microsoft Sentinel data, you must assign the application roles based on your desired access level.
Under the "Azure Services" heading, navigate to Microsoft Sentinel
Select the Log Analytics Workspace you wish to analyze
Navigate to Configuration > Settings
Click on "Workspace settings"
Navigate to "Access control (IAM)"
Select Add > Add role assignment
Read-only access: Log Analytics Reader or Microsoft Sentinel Reader
Read and write access: Microsoft Sentinel Responder or Microsoft Sentinel Contributor
Once you have selected your role, click "Members"
Next to "Assign access to," select "User, group, or service principal"
Click "Select members"
Search for your application (such as Dropzone AI Sentinel Integration) and click "Select"
In the bottom left hand corner, click "Review + assign" twice
To obtain your Workspace Name and Workspace ID, do the following:
Under the "Azure Services" heading, navigate to Microsoft Sentinel
Select the Workspace you wish to analyze
In the left sidebar, navigate to Configuration > Settings
Click on "Workspace Settings"
Copy the Workspace ID, Subscription ID, and Resource Group shown for use later in the Dropzone UI
To enable the Data Source integration, you will need the following information:
Client ID
The Application ID copied earlier
Tenant ID
The Directory ID copied earlier
Client Secret
The Client Secret Value copied earlier
Workspace ID
The Workspace ID copied earlier
Subscription ID
The Subscription ID copied earlier
Resource Group
The Resource group copied earlier
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom right corner, navigate to Settings > Integrations
Click "Available"
In the Search bar, search Microsoft Sentinel, then click "Configure"
Under the Data Source heading, input the Client ID, Tenant ID, and Client Secret
Under the Workspaces heading, click "Add item." Input the details of your workspace, then click "Add item" again
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
To enable the Alert Source integration, you will need the following information:
Client ID
The Application ID copied earlier
Tenant ID
The Directory ID copied earlier
Client Secret
The Client Secret Value copied earlier
Workspace ID
The Workspace ID copied earlier
Subscription ID
The Subscription ID copied earlier
Resource Group
The Resource group copied earlier
To enable the Alert Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app
In the bottom right corner, navigate to Settings > Integrations
Click "Available"
In the Search bar, search Microsoft Sentinel, then click "Configure"
Under the Alert Source heading, input the Client ID, Tenant ID, and Client Secret
Under the Workspaces heading, click "Add item." Input the details of your workspace, then click "Add item" again
Under the heading "Enabled severity levels," check the boxes for each incident severity level you want Dropzone to ingest alerts for
Under the heading "Enabled statuses," check the box for each incident status you want Dropzone to investigate alerts for
If you wish, you may adjust your ticket sync settings. To do so, under the "Ticket Sync — Update Ticket Status" header, check the box labeled "Update status on investigation change"
If you want Dropzone to be able to investigate email alerts, check the box under the heading "Microsoft Defender Email Fetching"
Input your desired Log ingestion delay, poll interval, and poll lookback
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
Navigate to
Select a based on your desired access level:
Navigate to
If you wish, you may add queries to investigate. To do so, click "Add Item" under the KQL Queries heading, then input the Query. Click "Add item" again when done
