Microsoft Sentinel

Microsoft Sentinel

The Dropzone platform integrates with the security SIEM. Many customers ingest other alert sources into Microsoft Sentinel (e.g. IDPs) and integrate Dropzone into Microsoft Sentinel rather than the source systems.

Integration Overview

To enable these integrations you will perform the following actions:

• Register a new application in Azure Active Directory (AAD)

• Locate your Client ID, Tenant ID, and create a Client Secret

• Assign necessary API permissions to the application

• Assign roles to the application in Microsoft Sentinel

• Locate your Workspace Name and Workspace ID

Register a New Application in Microsoft Entry Admin Center

• Sign into as an administrator

• In the left sidebar, navigate to Identity > Applications > App Registrations

• Click "New Registration"

• Name the new application something memorable, such as "Dropzone AI Sentinel Integration"

• Under "Supported account types," select "Accounts in this organizational directory only (Single tenant)"

• Leave the "Redirect URI (optional)" blank

• Click "Register"

Client ID, Tenant ID, and Client Secret

Once the application has been created, it will redirect you to the application's Overview page.

• In the Overview page, copy the Application ID and the Directory ID for use later in the Dropzone UI, where they are called "Client ID" and "Tenant ID" respectively

• Next to "Client credentials", click "Add a certificate or secret"

• Under the Client secrets heading, click "New client secret"

• Enter a description for the client secret, such as "Dropzone AI Integration Secret", and choose an appropriate expiration date. Click "Add"

• Under "Value," copy the Client Secret Value for use later in the Dropzone UI, where it is called "Client Secret"

Set Application Permissions

• In the application's sidebar, navigate to Manage > API permissions

• Click "Add a permission"

• Navigate to "APIs my organization uses"

• In the search bar, input "Log Analytics API," and select it

• Click "Application permissions"

• In the search bar, input "Data.Read" and select it. Click "Add permissions"

If your integration requires access to security alerts via Microsoft Graph, do the following:

• In the API permissions page, click "Add a permission"

• Under the Microsoft API header, select Microsoft Graph

• Click "Application permissions"

• Check the permission "SecurityEvents.Read.All", then click "Add permissions"

• Once back in the Application API permissions page, click "Grant admin consent for [mycompany.net]"

• Click "Yes"

Assign Roles in Microsoft Sentinel

To allow the application to access Microsoft Sentinel data, you must assign the application roles based on your desired access level.

• Under the "Azure Services" heading, navigate to Microsoft Sentinel

• Select the Log Analytics Workspace you wish to analyze

• Navigate to Configuration > Settings

• Click on "Workspace settings"

• Navigate to "Access control (IAM)"

• Select Add > Add role assignment

• • Read-only access: Log Analytics Reader or Microsoft Sentinel Reader

  • Read and write access: Microsoft Sentinel Responder or Microsoft Sentinel Contributor

• Once you have selected your role, click "Members"

• Next to "Assign access to," select "User, group, or service principal"

• Click "Select members"

• Search for your application (such as Dropzone AI Sentinel Integration) and click "Select"

• In the bottom left hand corner, click "Review + assign" twice

Workspace IDs

To obtain your Workspace Name and Workspace ID, do the following:

• Under the "Azure Services" heading, navigate to Microsoft Sentinel

• Select the Workspace you wish to analyze

• In the left sidebar, navigate to Configuration > Settings

• Click on "Workspace Settings"

• Copy the Workspace ID, Subscription ID, and Resource Group shown for use later in the Dropzone UI

Enable the Dropzone Data Source Integration

To enable the Data Source integration, you will need the following information:

To enable the Data Source integration, do the following:

• Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

• In the bottom right corner, navigate to Settings > Integrations

• Click "Available"

• In the Search bar, search Microsoft Sentinel, then click "Configure"

• Under the Data Source heading, input the Client ID, Tenant ID, and Client Secret

• Under the Workspaces heading, click "Add item." Input the details of your workspace, then click "Add item" again.

• Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.

Enable the Dropzone Alert Source Integration

To enable the Alert Source integration, you will need the following information:

To enable the Alert Source integration, do the following:

• Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai

• In the bottom right corner, navigate to Settings > Integrations

• Click "Available"

• In the Search bar, search Microsoft Sentinel, then click "Configure"

• Under the Alert Source heading, input the Client ID, Tenant ID, and Client Secret

• Under the Workspaces heading, click "Add item." Input the details of your workspace, then click "Add item" again.

• Under the heading "Enabled severity levels," check the boxes for each incident severity level you want Dropzone to ingest alerts for

• Under the heading "Enabled statuses," check the box for each incident status you want Dropzone to investigate alerts for

• If you wish, you may adjust your ticket sync settings. To do so, under the "Ticket Sync — Update Ticket Status" header, check the box labeled "Update status on investigation change"

• If you want Dropzone to be able to investigate email alerts, check the box under the heading "Microsoft Defender Email Fetching"

• Input your desired Log ingestion delay, poll interval, and poll lookback.

• Click "Test & Save" to finish

If you have any errors engage your Dropzone AI support representative.