Microsoft Sentinel Integration Setup
This guide walks you through creating an Entra ID application, granting it read access to your Microsoft Sentinel workspace, and gathering the values required to connect Microsoft Sentinel as a SIEM with RAD Security. Microsoft Sentinel is a cloud-native SIEM built on Azure Monitor and Log Analytics. RAD Security connects to your Sentinel workspace to pull security alerts and events for unified, offline threat analysis alongside your runtime, cloud, and Kubernetes telemetry.Prerequisites
Before you begin, ensure you have:- A Microsoft Sentinel workspace enabled on a Log Analytics workspace
- Admin access to Microsoft Entra ID to create an application and grant a client secret
- Permission to assign Azure roles (Owner or User Access Administrator) on the subscription or resource group that contains the workspace
- Access to a RAD Security workspace with integration permissions
Understanding Integration Components
The Microsoft Sentinel integration authenticates with an Entra ID application using OAuth client credentials and reads from your Log Analytics workspace:Entra ID Application & Client Secret
Entra ID Application & Client Secret
Azure Role Assignment (Least Privilege)
Azure Role Assignment (Least Privilege)
Step 1: Create an Entra ID Application
Create the application and service principal
Note the application credentials
- Application (client) ID
- Directory (tenant) ID
Step 2: Create a Client Secret
Navigate to Certificates & secrets
Create a new client secret
- Click New client secret
- Add a description (e.g., “RAD Security Integration Key”)
- Select an expiration period
- Click Add
Copy the secret value
Step 3: Grant Access to the Sentinel Workspace
Open your Log Analytics workspace
Open Access control (IAM)
Assign Microsoft Sentinel Reader
Add Log Analytics Reader for event queries
Microsoft.OperationalInsights/workspaces/read and read access to Microsoft.SecurityInsights/*.Step 4: Gather your Workspace Values
Open the workspace Overview
Copy the workspace identifiers
- Subscription ID — the Azure subscription that contains the workspace
- Resource group — the resource group that contains the workspace
- Workspace ID — the Log Analytics workspace ID (a GUID, shown on the Overview page)
- Workspace Name — the name of the workspace
Step 5: Configure in RAD Security
Navigate to your RAD Security workspace and configure the Microsoft Sentinel integration with the following parameters:Required Parameters
Optional Parameters
About Default Tables
About Default Tables
SecurityEvent, Syslog, SecurityAlert. Multiple tables are joined with a union.Alternate Microsoft Clouds (GovCloud)
Alternate Microsoft Clouds (GovCloud)
- US Government:
https://api.loganalytics.azure.us/https://management.usgovcloudapi.net - China (21Vianet):
https://api.loganalytics.azure.cn/https://management.chinacloudapi.cn
Verify Integration
After completing the setup, verify your integration is working:- Navigate to Data Sources → Integrations → SIEM in RAD Security
- Locate your Microsoft Sentinel integration
- Check the connection status shows as Connected
- Confirm alerts and events begin appearing as the first sync completes
What Data is Synced
Security Alerts
Security Alerts
Security Events
Security Events
RADBot (AI) Access
RADBot (AI) Access
Use Cases
Unified Threat Analysis
Offline Investigation
Cross-Platform Detection
AI-Assisted Triage
Troubleshooting
Authentication Failed
Authentication Failed
- Client ID, Tenant ID, or Client Secret copied incorrectly
- Client secret has expired
- Service principal was deleted or disabled
- Verify all credentials are copied correctly (no extra spaces)
- Check the client secret expiration in Certificates & secrets
- Confirm the application still exists in Entra ID and the Tenant ID matches your directory
Permission Denied
Permission Denied
- The application is missing the Microsoft Sentinel Reader or Log Analytics Reader role
- The role was assigned at the wrong scope
- Role assignment has not finished propagating
- Confirm both roles are assigned to the application’s service principal on the workspace (or a parent scope)
- Allow a few minutes for the assignment to propagate
- Verify the Subscription ID, Resource Group, and Workspace Name match the workspace you granted access to
No Alerts Appearing
No Alerts Appearing
- The workspace is not connected to the Microsoft Defender portal
- No alerts exist in the lookback window
- Connect the workspace to the Microsoft Defender portal — required for alert retrieval
- Confirm alerts are present in Sentinel for the sync period
No Events Appearing
No Events Appearing
- The configured Default Tables do not exist in the workspace
- The application lacks Log Analytics Reader
- No events in the configured tables for the lookback window
- Verify the table names against your workspace schema (Log Analytics → Logs → Tables)
- Leave Default Tables blank to fall back to the ASIM-normalized set
- Confirm Log Analytics Reader is assigned to the application
Wrong Cloud Deployment
Wrong Cloud Deployment
- Targeting a sovereign cloud (GovCloud, China) without custom URLs
- For commercial Azure, leave Logs URL and Management URL blank
- For sovereign clouds, set both per the “Alternate Microsoft Clouds” section above