Microsoft Sentinel

Microsoft Sentinel (formerly Azure Sentinel) is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. It delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Configuring the Integration in the Microsoft Azure Portal

Step 1 - Setting up a Log Analytics Workspace

Note - If you are using an existing log analytics workspace, skip this section.

  1. Log in to the Microsoft Azure portal.

  2. Search for Azure Sentinel and select it.

  3. Click Add.

  4. Click Create a new workspace.

    The Create Log Analytics workspace window appears.

  5. Enter these:

    1. Subscription - A subscription according to your business needs.

      • Resource group - Associate the log analytics workspace with the appropriate business unit.

    2. Name - Name of the workspace. It must contain minimum four characters (alphabets, numerals and hyphen) up to 63. Make sure hyphen is not the first or last character.

    3. Region: Physical location of the server generating the event collector. Select according to pricing and business requirement.

    4. (Optional) Review the pricing tiers and set appropriate tags for the workspace.

  6. Click Review + Create.

Step 2 - Linking the Log Analytics Workspace to Microsoft Sentinel

  1. Log in to the Microsoft Azure portal.

  2. Search for Azure Sentinel and select it.

  3. Click Add.

  4. Select the Log Analytics Workspace that you have created or an existing one that you want to utilize.

Step 3 - Finding your Log Analytics Workspace ID and Primary Key

  1. Log in to the Microsoft Azure portal.

  2. Search for Log Analytics Workspace and select it.

  3. Select the workspace you connected to Microsoft Sentinel.

  4. In the Settings section, click Advanced settings.

  5. Click Connected Sources > Linux Servers and then copy the Workspace ID and the Primary Key.

Configuring the Microsoft Sentinel Integration in the Harmony SASE Administrator Portal

  1. Access the Harmony SASE Administrator Portal and click SettingsIntegrations.

  2. In the SIEM integrations section, in the Microsoft Sentinel row, click Add.

  3. In the Workspace ID field, enter the Log Analytics Workspace ID from the above section.

  4. In the Workspace Key field, enter the Log Analytics Primary Key from the above section.

  5. Click Validate.

Troubleshooting

Status Message Action Required
Success None.
SENTINEL_INACTIVE_CUSTOMER The workspace has been deactivated.
SENTINEL_INVALID_CUSTOMER_ID Make sure you have entered the correct customer ID.
SENTINEL_INVALID_AUTHORIZATION The service failed to authenticate the request. Verify that the workspace ID and connection key are valid.