Integrating with Microsoft Sentinel

Microsoft Sentinel is Microsoft's SIEM tool which is part of the Microsoft Azure suite. You can use Sentinel as a SIEM tool and send Nightfall alerts to this tool.

Sentinel Data Connectors

To ingest any data into Microsoft Sentinel, you must use a data connector. A Sentinel data connector is a data pipeline which transfers data (alerts, incidents, and so on) from a specific source to Sentinel. Microsoft provides many out of the box data connectors to ingest data into Sentinel.

Configure Sentinel as Webhook

To use Sentinel as a Webhook and send alerts from Nightfall to Sentinel, you must first configure Sentinel as a webhook. To configure sentinel as a webhook, you must create a custom connector in Sentinel, since there is no out of the box connector for Nightfall AI in Sentinel. Microsoft provides multiple ways in which you can create custom connectors. To learn more about how to create a custom connector, you can refer to this Microsoft documentation.

Configure Outgoing Webhook

Once you create a custom connector in Sentinel, you must configure the Webhook endpoint in Nightfall.

  1. Click Integrations in Nightfall.

  1. Click Manage for the required integration.

  1. Scroll down to the alerting section and click + Webhook.

  1. Enter the Sentinel URL obtained in the Configure Sentinel as Webhook section.

  1. Click Test to verify the URL.

You must receive a message as shown in the following image.

  1. (Optional) Click Add Header to add authentication parameters.

  2. Enter the authentication parameters (key value format) under the key and value columns, respectively.

  3. Click the unlock icon to obfuscate the key value pair.

  1. Click Save.

Viewing Alert Data in Sentinel

Once you configure Sentinel as a Webhook, Nightfall sends alert notifications to Sentinel. You can view these notifications in Sentinel. To learn more about how to view visual data in Sentinel, you can refer to this Microsoft documentation. To learn more querying logs using Microsoft's Kusto Query Language, refer to this Microsoft documentation.

PreviousIntegrating with SIEMNextCreating Dashboards for Nightfall Alerts in Splunk

Last updated