Azure Sentinel Destination Setup

Create incidents in Microsoft Sentinel for detection alerts using App Registration authentication.

Prerequisites

• Azure subscription with Sentinel workspace
• Azure AD permissions to create App Registrations
• Sentinel workspace with incident creation permissions

Setup Steps

1. Create App Registration

In Azure Portal:

1. Navigate to Azure Active Directory → App registrations
2. Click New registration
3. Enter name (e.g., "Query.ai Security Detections")
4. Select Accounts in this organizational directory only
5. Click Register
6. Copy the Application (client) ID
7. Copy the Directory (tenant) ID

2. Create Client Secret

1. In your App Registration, navigate to Certificates & secrets
2. Click New client secret
3. Add description (e.g., "Detection alerts integration")
4. Select expiration period (recommend 90 days for security)
5. Click Add
6. Copy the secret value immediately - you won't see it again

Important: Store the secret value securely. It cannot be retrieved after leaving the page.

3. Assign Sentinel Permissions

1. Navigate to your Sentinel workspace in Azure Portal
2. Go to Access control (IAM)
3. Click Add role assignment
4. Select Microsoft Sentinel Responder role
5. Click Next
6. Select User, group, or service principal
7. Click Select members
8. Search for and select your App Registration
9. Click Review + assign

4. Test Access

Test that the App Registration can create incidents:

# Install Azure CLI if needed
az login

# Test incident creation (replace with your values)
az rest --method put \
  --url "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{rg-name}/providers/Microsoft.OperationalInsights/workspaces/{workspace-name}/providers/Microsoft.SecurityInsights/incidents/test-incident-001?api-version=2022-07-01-preview" \
  --body '{"properties":{"title":"Test Incident","severity":"Low","status":"New"}}'

Expected Response: JSON object with incident details

5. Configure in Query.ai

Contact your Query.ai administrator to configure the Azure Sentinel destination with:

Required Configuration:

• Tenant ID (Azure AD Directory ID) - stored securely
• Client ID (Application ID) - stored securely
• Client Secret - stored securely
• Subscription ID
• Resource Group name
• Workspace name

Incident Fields

Azure Sentinel incidents are created with the following fields:

Severity Mapping

Detection severity maps to Sentinel severity:

Description Field Contents

The description includes:

• Detection name, severity, outcome, and match count
• Run type (SCHEDULED or MANUAL)
• Threshold configuration (operator, value, eagerness)
• Execution metadata (exhaustiveness, search ID, trace ID if available)
• Detection description
• Replay link for investigation
• Error messages (if any)

Incident ID

Incidents use a deterministic UUID based on detection ID + run ID. This prevents duplicate incidents if the same detection run is processed multiple times.

Testing

Test App Registration Credentials

Test authentication with Python:

from azure.identity import ClientSecretCredential
from azure.mgmt.securityinsight import SecurityInsights

credential = ClientSecretCredential(
    tenant_id="your-tenant-id",
    client_id="your-client-id",
    client_secret="your-client-secret"
)

client = SecurityInsights(credential, "your-subscription-id")

# List existing incidents
incidents = client.incidents.list(
    resource_group_name="your-rg",
    workspace_name="your-workspace"
)

for incident in incidents:
    print(f"Incident: {incident.name} - {incident.properties.title}")

Test with Detection

1. Create a test detection with low threshold
2. Add Azure Sentinel destination
3. Click Run Now
4. Check Sentinel workspace for new incident

Troubleshooting

Common Issues

Verify App Registration Permissions

1. Navigate to Sentinel workspace in Azure Portal
2. Go to Access control (IAM)
3. Click Role assignments
4. Search for your App Registration name
5. Verify Microsoft Sentinel Responder role is assigned

Check Client Secret Expiration

1. Navigate to Azure Active Directory → App registrations
2. Select your App Registration
3. Go to Certificates & secrets
4. Check expiration date of client secret
5. Create new secret before expiration

View Logs

Contact your Query.ai administrator to review CloudWatch logs:

aws logs tail /aws/lambda/detection-outcome-handler --follow

Look for Azure Sentinel-related errors in the logs.

Multiple Workspaces

Create separate destinations for different Sentinel workspaces:

Example Use Cases:

• Production incidents → Production Sentinel workspace
• Test detections → Development Sentinel workspace
• Different regions → Region-specific workspaces

Each destination uses different workspace configurations.

Configuration Options

Required

tenant_id (secret)

• Azure AD Tenant ID (Directory ID)
• Format: UUID (e.g., aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee)
• Stored securely in AWS Secrets Manager

client_id (secret)

• App Registration Application (client) ID
• Format: UUID (e.g., 11111111-2222-3333-4444-555555555555)
• Stored securely in AWS Secrets Manager

client_secret (secret)

• App Registration client secret value
• Generated in Azure Portal
• Stored securely in AWS Secrets Manager
• Rotate every 90 days

subscription_id

• Azure Subscription ID containing Sentinel workspace
• Format: UUID
• Not secret (can be stored in configuration)

resource_group_name

• Resource Group name containing Sentinel workspace
• Case-sensitive
• Not secret (can be stored in configuration)

workspace_name

• Sentinel workspace name
• Case-sensitive
• Not secret (can be stored in configuration)

Sentinel Workflow Integration

Automation Rules

Configure Sentinel automation rules to process detection incidents:

1. Navigate to Sentinel → Automation
2. Click Create → Automation rule
3. Set trigger: When incident is created
4. Add condition: Title contains "Detection"
5. Add actions:
   • Assign to analyst
   • Add tags
   • Run playbook

Playbooks

Create Logic Apps playbooks for automated response:

1. Navigate to Sentinel → Automation
2. Click Create → Playbook
3. Design Logic App workflow
4. Trigger on incident creation
5. Add actions (e.g., send to Slack, create ticket)

Analytics Rules

Sentinel incidents from Query.ai appear alongside native analytics rules:

• View in Incidents dashboard
• Filter by source: "Query.ai Federated Detections"
• Investigate using built-in investigation tools

Incident Investigation

When Sentinel incident is created:

1. Open incident in Sentinel portal
2. Review incident details and description
3. Click replay link to investigate in Query.ai
4. Use Sentinel investigation graph for context
5. Document findings in incident comments
6. Update incident status as investigation progresses

Security Best Practices

1. Never Commit Credentials: Always store credentials in Secrets Manager
2. Use Dedicated App Registration: Don't use personal accounts
3. Rotate Client Secrets: Rotate every 90 days
4. Least Privilege Role: Use Sentinel Responder, not Contributor or Owner
5. Monitor Sign-ins: Review App Registration sign-in logs for anomalies
6. Set Expiration Reminders: Configure alerts before secret expiration
7. Audit Access: Regularly review IAM role assignments

Client Secret Rotation

To rotate client secret:

1. Navigate to App Registration in Azure Portal
2. Go to Certificates & secrets
3. Click New client secret
4. Copy new secret value
5. Update secret in Query.ai configuration
6. Test with a manual detection run
7. Delete old secret after verification

Best Practice: Create new secret before old one expires to avoid service interruption.

Resources

• Azure Sentinel Create Incident API
• Azure App Registrations
• Azure Sentinel RBAC Roles
• Azure SDK for Python
• Sentinel Automation