Skip to main content

Microsoft Sentinel Integration Setup

This guide walks you through creating an Entra ID application, granting it read access to your Microsoft Sentinel workspace, and gathering the values required to connect Microsoft Sentinel as a SIEM with RAD Security. Microsoft Sentinel is a cloud-native SIEM built on Azure Monitor and Log Analytics. RAD Security connects to your Sentinel workspace to pull security alerts and events for unified, offline threat analysis alongside your runtime, cloud, and Kubernetes telemetry.
This integration is read-only. RAD Security queries alerts and events from Microsoft Sentinel — it does not write data into your workspace. No Data Collection Rule or ingestion endpoint is required.

Prerequisites

Before you begin, ensure you have:
  • A Microsoft Sentinel workspace enabled on a Log Analytics workspace
  • Admin access to Microsoft Entra ID to create an application and grant a client secret
  • Permission to assign Azure roles (Owner or User Access Administrator) on the subscription or resource group that contains the workspace
  • Access to a RAD Security workspace with integration permissions
Alert retrieval requires the Defender portal. To read Sentinel alerts, your workspace must be connected to the Microsoft Defender portal. Event queries over Log Analytics tables work without this connection.

Understanding Integration Components

The Microsoft Sentinel integration authenticates with an Entra ID application using OAuth client credentials and reads from your Log Analytics workspace:
Purpose: Authenticate RAD Security to your Azure subscription and Sentinel workspaceUse Case: Provide a non-user identity that can be scoped, rotated, and audited independentlyAuthentication: OAuth 2.0 client credentials (Application/client ID, Directory/tenant ID, client secret)
Purpose: Grant the application read-only access to Sentinel alerts and Log Analytics dataUse Case: Follow the principle of least privilege — RAD Security only needs to readRecommended roles: Microsoft Sentinel Reader (alerts and incidents) and Log Analytics Reader (event queries)

Step 1: Create an Entra ID Application

1

Create the application and service principal

Follow the Microsoft guide to create a Microsoft Entra application and service principal.Choose a descriptive name (e.g., “RAD Security Sentinel”). Because this is a service-to-service integration, no redirect URI or user sign-in is required.
2

Note the application credentials

On the application’s Overview tab, copy the following values to a secure location:
  • Application (client) ID
  • Directory (tenant) ID

Step 2: Create a Client Secret

1

Navigate to Certificates & secrets

In your Entra ID application, go to Manage → Certificates & secrets.
2

Create a new client secret

Follow the Microsoft guide to add a new client secret.
  1. Click New client secret
  2. Add a description (e.g., “RAD Security Integration Key”)
  3. Select an expiration period
  4. Click Add
3

Copy the secret value

Immediately copy the secret value to a secure location alongside your Client ID and Tenant ID.
This is your only chance to view the secret! Once you navigate away from this page, the value cannot be retrieved again. If you lose it, create a new secret.

Step 3: Grant Access to the Sentinel Workspace

1

Open your Log Analytics workspace

In the Azure portal, navigate to the Log Analytics workspace that backs your Microsoft Sentinel instance.
2

Open Access control (IAM)

Select Access control (IAM) → Add → Add role assignment.
3

Assign Microsoft Sentinel Reader

Follow the Microsoft guide to assign an Azure role. Assign the Microsoft Sentinel Reader role to the Entra ID application (service principal) created in Step 1.
Assigning at the workspace scope is the most restrictive option. You may assign at the resource group or subscription scope if you plan to connect multiple workspaces.
4

Add Log Analytics Reader for event queries

Repeat the role assignment to also grant Log Analytics Reader to the same application. This allows RAD Security to run KQL queries against your Log Analytics tables when syncing events.
These roles together cover the access RAD Security needs: Microsoft.OperationalInsights/workspaces/read and read access to Microsoft.SecurityInsights/*.

Step 4: Gather your Workspace Values

1

Open the workspace Overview

In the Azure portal, open your Log Analytics workspace and select the Overview tab.
2

Copy the workspace identifiers

Record the following values to a secure location:
  • Subscription ID — the Azure subscription that contains the workspace
  • Resource group — the resource group that contains the workspace
  • Workspace ID — the Log Analytics workspace ID (a GUID, shown on the Overview page)
  • Workspace Name — the name of the workspace

Step 5: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Microsoft Sentinel integration with the following parameters:

Required Parameters

ParameterDescriptionExample
Client IDThe Application (client) ID from Step 111111111-1111-1111-1111-111111111111
Client SecretThe client secret value from Step 2your-secret-value-here
Tenant IDThe Directory (tenant) ID from Step 100000000-0000-0000-0000-000000000000
Subscription IDThe subscription containing the workspace (Step 4)22222222-2222-2222-2222-222222222222
Resource GroupThe resource group containing the workspace (Step 4)rg-security
Workspace IDThe Log Analytics workspace ID (Step 4)33333333-3333-3333-3333-333333333333
Workspace NameThe Log Analytics workspace name (Step 4)sentinel-workspace

Optional Parameters

ParameterDescriptionExample
Default TablesComma-separated list of Log Analytics tables to query for events. Leave blank to use the default ASIM-normalized tables.SecurityEvent, Syslog, CommonSecurityLog
Logs URLAzure Monitor Logs API base URL — only for alternate clouds such as GovCloudhttps://api.loganalytics.azure.us
Management URLAzure Management API base URL — only for alternate clouds such as GovCloudhttps://management.usgovcloudapi.net
Event queries run over your Log Analytics tables. When Default Tables is left blank, RAD Security queries Microsoft’s ASIM-normalized schemas. Supply a comma-separated list to scope the sync to specific tables — for example SecurityEvent, Syslog, SecurityAlert. Multiple tables are joined with a union.
Avoid using a single * entry. It maps to a union * query across all tables, which is slow and resource-intensive — Microsoft discourages it.
Leave Logs URL and Management URL blank for the commercial Azure cloud. Only set them when targeting a sovereign cloud:
  • US Government: https://api.loganalytics.azure.us / https://management.usgovcloudapi.net
  • China (21Vianet): https://api.loganalytics.azure.cn / https://management.chinacloudapi.cn

Verify Integration

After completing the setup, verify your integration is working:
  1. Navigate to Data Sources → Integrations → SIEM in RAD Security
  2. Locate your Microsoft Sentinel integration
  3. Check the connection status shows as Connected
  4. Confirm alerts and events begin appearing as the first sync completes
Your Microsoft Sentinel integration is now configured! RAD Security will pull alerts and events from your Sentinel workspace for unified threat analysis.

What Data is Synced

RAD Security imports native Microsoft Sentinel alerts (from the Defender-connected workspace) as normalized security findings for correlation with your runtime and cloud telemetry.
RAD Security queries events from your Log Analytics tables — scoped by the Default Tables setting, or the default ASIM-normalized schemas when left blank.
Once connected, RADBot can query your Sentinel alerts, events, investigations, and log providers through read-only AI capabilities for assisted investigation.

Use Cases

Unified Threat Analysis

Correlate Microsoft Sentinel alerts and events with RAD Security’s runtime insights for comprehensive detection.

Offline Investigation

Analyze synced Sentinel data within RAD Security without round-tripping to the Azure portal.

Cross-Platform Detection

Detect threats that span Azure, endpoints, and containerized infrastructure using unified data sources.

AI-Assisted Triage

Let RADBot query Sentinel alerts and events to accelerate investigation and triage.

Troubleshooting

Possible causes:
  • Client ID, Tenant ID, or Client Secret copied incorrectly
  • Client secret has expired
  • Service principal was deleted or disabled
Solution:
  • Verify all credentials are copied correctly (no extra spaces)
  • Check the client secret expiration in Certificates & secrets
  • Confirm the application still exists in Entra ID and the Tenant ID matches your directory
Possible causes:
  • The application is missing the Microsoft Sentinel Reader or Log Analytics Reader role
  • The role was assigned at the wrong scope
  • Role assignment has not finished propagating
Solution:
  • Confirm both roles are assigned to the application’s service principal on the workspace (or a parent scope)
  • Allow a few minutes for the assignment to propagate
  • Verify the Subscription ID, Resource Group, and Workspace Name match the workspace you granted access to
Possible causes:
  • The workspace is not connected to the Microsoft Defender portal
  • No alerts exist in the lookback window
Solution:
  • Connect the workspace to the Microsoft Defender portal — required for alert retrieval
  • Confirm alerts are present in Sentinel for the sync period
Possible causes:
  • The configured Default Tables do not exist in the workspace
  • The application lacks Log Analytics Reader
  • No events in the configured tables for the lookback window
Solution:
  • Verify the table names against your workspace schema (Log Analytics → Logs → Tables)
  • Leave Default Tables blank to fall back to the ASIM-normalized set
  • Confirm Log Analytics Reader is assigned to the application
Possible causes:
  • Targeting a sovereign cloud (GovCloud, China) without custom URLs
Solution:
  • For commercial Azure, leave Logs URL and Management URL blank
  • For sovereign clouds, set both per the “Alternate Microsoft Clouds” section above

Security Best Practices

Least Privilege Access

Assign only Microsoft Sentinel Reader and Log Analytics Reader — this integration never writes to your workspace.

Scope the Role Assignment

Assign roles at the workspace scope rather than the subscription unless you connect multiple workspaces.

Rotate Secrets Regularly

Set short expiration periods for client secrets and rotate them before expiry. Create the new secret before deleting the old one.

Secure Secret Storage

Store the client secret in a secrets vault. Never commit it to version control.

Dedicated Application

Use an Entra ID application dedicated to RAD Security rather than sharing one across integrations.

Monitor Application Activity

Review the service principal’s sign-in and Azure activity logs to detect anomalous behavior.

Additional Resources

Onboard Microsoft Sentinel

Official Microsoft documentation for enabling Microsoft Sentinel

Create an Entra Application

Microsoft documentation for creating an application and service principal

Assign Azure Roles

Microsoft documentation for assigning Azure RBAC roles

ASIM Schemas

Microsoft documentation for the Advanced Security Information Model

Next Steps

SIEM Integrations Overview

Explore other SIEM integration options

Runtime Security

Learn what runtime events RAD Security correlates with your SIEM data

Threat Models

Understand how threats are detected and classified

Alerts & Incidents

Configure alert rules and review incidents in your workspace