> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# Microsoft Sentinel

> Configure Microsoft Sentinel SIEM integration with RAD Security to import alerts and events for unified threat analysis.

# Microsoft Sentinel Integration Setup

This guide walks you through creating an Entra ID application, granting it read access to your Microsoft Sentinel workspace, and gathering the values required to connect Microsoft Sentinel as a SIEM with RAD Security.

Microsoft Sentinel is a cloud-native SIEM built on Azure Monitor and Log Analytics. RAD Security connects to your Sentinel workspace to **pull** security alerts and events for unified, offline threat analysis alongside your runtime, cloud, and Kubernetes telemetry.

<Info>
  This integration is **read-only**. RAD Security queries alerts and events **from** Microsoft Sentinel — it does not write data into your workspace. No Data Collection Rule or ingestion endpoint is required.
</Info>

## Prerequisites

Before you begin, ensure you have:

<Check>
  * A [Microsoft Sentinel workspace](https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard) enabled on a Log Analytics workspace
  * Admin access to Microsoft Entra ID to create an application and grant a client secret
  * Permission to assign Azure roles (**Owner** or **User Access Administrator**) on the subscription or resource group that contains the workspace
  * Access to a RAD Security workspace with integration permissions
</Check>

<Warning>
  **Alert retrieval requires the Defender portal.** To read Sentinel alerts, your workspace must be connected to the [Microsoft Defender portal](https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-sentinel-onboard). Event queries over Log Analytics tables work without this connection.
</Warning>

***

## Understanding Integration Components

The Microsoft Sentinel integration authenticates with an Entra ID application using OAuth client credentials and reads from your Log Analytics workspace:

<AccordionGroup>
  <Accordion title="Entra ID Application & Client Secret" icon="key">
    **Purpose:** Authenticate RAD Security to your Azure subscription and Sentinel workspace

    **Use Case:** Provide a non-user identity that can be scoped, rotated, and audited independently

    **Authentication:** OAuth 2.0 client credentials (Application/client ID, Directory/tenant ID, client secret)
  </Accordion>

  <Accordion title="Azure Role Assignment (Least Privilege)" icon="shield-halved">
    **Purpose:** Grant the application read-only access to Sentinel alerts and Log Analytics data

    **Use Case:** Follow the principle of least privilege — RAD Security only needs to read

    **Recommended roles:** **Microsoft Sentinel Reader** (alerts and incidents) and **Log Analytics Reader** (event queries)
  </Accordion>
</AccordionGroup>

***

## Step 1: Create an Entra ID Application

<Steps>
  <Step title="Create the application and service principal">
    Follow the Microsoft guide to [create a Microsoft Entra application and service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal).

    Choose a descriptive name (e.g., "RAD Security Sentinel"). Because this is a service-to-service integration, no redirect URI or user sign-in is required.
  </Step>

  <Step title="Note the application credentials">
    On the application's **Overview** tab, copy the following values to a secure location:

    * **Application (client) ID**
    * **Directory (tenant) ID**
  </Step>
</Steps>

***

## Step 2: Create a Client Secret

<Steps>
  <Step title="Navigate to Certificates & secrets">
    In your Entra ID application, go to **Manage → Certificates & secrets**.
  </Step>

  <Step title="Create a new client secret">
    Follow the Microsoft guide to [add a new client secret](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#option-3-create-a-new-client-secret).

    1. Click **New client secret**
    2. Add a description (e.g., "RAD Security Integration Key")
    3. Select an expiration period
    4. Click **Add**
  </Step>

  <Step title="Copy the secret value">
    **Immediately copy the secret value** to a secure location alongside your Client ID and Tenant ID.

    <Warning>
      **This is your only chance to view the secret!** Once you navigate away from this page, the value cannot be retrieved again. If you lose it, create a new secret.
    </Warning>
  </Step>
</Steps>

***

## Step 3: Grant Access to the Sentinel Workspace

<Steps>
  <Step title="Open your Log Analytics workspace">
    In the [Azure portal](https://portal.azure.com), navigate to the Log Analytics workspace that backs your Microsoft Sentinel instance.
  </Step>

  <Step title="Open Access control (IAM)">
    Select **Access control (IAM) → Add → Add role assignment**.
  </Step>

  <Step title="Assign Microsoft Sentinel Reader">
    Follow the Microsoft guide to [assign an Azure role](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal). Assign the **Microsoft Sentinel Reader** role to the Entra ID application (service principal) created in Step 1.

    <Info>
      Assigning at the **workspace** scope is the most restrictive option. You may assign at the **resource group** or **subscription** scope if you plan to connect multiple workspaces.
    </Info>
  </Step>

  <Step title="Add Log Analytics Reader for event queries">
    Repeat the role assignment to also grant **Log Analytics Reader** to the same application. This allows RAD Security to run KQL queries against your Log Analytics tables when syncing events.
  </Step>
</Steps>

<Note>
  These roles together cover the access RAD Security needs: `Microsoft.OperationalInsights/workspaces/read` and read access to `Microsoft.SecurityInsights/*`.
</Note>

***

## Step 4: Gather your Workspace Values

<Steps>
  <Step title="Open the workspace Overview">
    In the Azure portal, open your Log Analytics workspace and select the **Overview** tab.
  </Step>

  <Step title="Copy the workspace identifiers">
    Record the following values to a secure location:

    * **Subscription ID** — the Azure subscription that contains the workspace
    * **Resource group** — the resource group that contains the workspace
    * **Workspace ID** — the Log Analytics workspace ID (a GUID, shown on the Overview page)
    * **Workspace Name** — the name of the workspace
  </Step>
</Steps>

***

## Step 5: Configure in RAD Security

Navigate to your RAD Security workspace and configure the Microsoft Sentinel integration with the following parameters:

### Required Parameters

| Parameter           | Description                                          | Example                                |
| ------------------- | ---------------------------------------------------- | -------------------------------------- |
| **Client ID**       | The Application (client) ID from Step 1              | `11111111-1111-1111-1111-111111111111` |
| **Client Secret**   | The client secret value from Step 2                  | `your-secret-value-here`               |
| **Tenant ID**       | The Directory (tenant) ID from Step 1                | `00000000-0000-0000-0000-000000000000` |
| **Subscription ID** | The subscription containing the workspace (Step 4)   | `22222222-2222-2222-2222-222222222222` |
| **Resource Group**  | The resource group containing the workspace (Step 4) | `rg-security`                          |
| **Workspace ID**    | The Log Analytics workspace ID (Step 4)              | `33333333-3333-3333-3333-333333333333` |
| **Workspace Name**  | The Log Analytics workspace name (Step 4)            | `sentinel-workspace`                   |

### Optional Parameters

| Parameter          | Description                                                                                                              | Example                                    |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------ |
| **Default Tables** | Comma-separated list of Log Analytics tables to query for events. Leave blank to use the default ASIM-normalized tables. | `SecurityEvent, Syslog, CommonSecurityLog` |
| **Logs URL**       | Azure Monitor Logs API base URL — only for alternate clouds such as GovCloud                                             | `https://api.loganalytics.azure.us`        |
| **Management URL** | Azure Management API base URL — only for alternate clouds such as GovCloud                                               | `https://management.usgovcloudapi.net`     |

<AccordionGroup>
  <Accordion title="About Default Tables" icon="table">
    Event queries run over your Log Analytics tables. When **Default Tables** is left blank, RAD Security queries Microsoft's [ASIM-normalized](https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-schemas) schemas. Supply a comma-separated list to scope the sync to specific tables — for example `SecurityEvent, Syslog, SecurityAlert`. Multiple tables are joined with a `union`.

    <Warning>
      Avoid using a single `*` entry. It maps to a `union *` query across **all** tables, which is slow and resource-intensive — Microsoft discourages it.
    </Warning>
  </Accordion>

  <Accordion title="Alternate Microsoft Clouds (GovCloud)" icon="globe">
    Leave **Logs URL** and **Management URL** blank for the commercial Azure cloud. Only set them when targeting a sovereign cloud:

    * **US Government:** `https://api.loganalytics.azure.us` / `https://management.usgovcloudapi.net`
    * **China (21Vianet):** `https://api.loganalytics.azure.cn` / `https://management.chinacloudapi.cn`
  </Accordion>
</AccordionGroup>

***

## Verify Integration

After completing the setup, verify your integration is working:

1. Navigate to **Data Sources → Integrations → SIEM** in RAD Security
2. Locate your Microsoft Sentinel integration
3. Check the connection status shows as **Connected**
4. Confirm alerts and events begin appearing as the first sync completes

<Check>
  Your Microsoft Sentinel integration is now configured! RAD Security will pull alerts and events from your Sentinel workspace for unified threat analysis.
</Check>

## What Data is Synced

<AccordionGroup>
  <Accordion title="Security Alerts" icon="bell">
    RAD Security imports native Microsoft Sentinel alerts (from the Defender-connected workspace) as normalized security findings for correlation with your runtime and cloud telemetry.
  </Accordion>

  <Accordion title="Security Events" icon="magnifying-glass">
    RAD Security queries events from your Log Analytics tables — scoped by the **Default Tables** setting, or the default ASIM-normalized schemas when left blank.
  </Accordion>

  <Accordion title="RADBot (AI) Access" icon="robot">
    Once connected, RADBot can query your Sentinel alerts, events, investigations, and log providers through read-only AI capabilities for assisted investigation.
  </Accordion>
</AccordionGroup>

## Use Cases

<CardGroup cols={2}>
  <Card title="Unified Threat Analysis" icon="brain">
    Correlate Microsoft Sentinel alerts and events with RAD Security's runtime insights for comprehensive detection.
  </Card>

  <Card title="Offline Investigation" icon="magnifying-glass-chart">
    Analyze synced Sentinel data within RAD Security without round-tripping to the Azure portal.
  </Card>

  <Card title="Cross-Platform Detection" icon="diagram-venn">
    Detect threats that span Azure, endpoints, and containerized infrastructure using unified data sources.
  </Card>

  <Card title="AI-Assisted Triage" icon="robot">
    Let RADBot query Sentinel alerts and events to accelerate investigation and triage.
  </Card>
</CardGroup>

## Troubleshooting

<AccordionGroup>
  <Accordion title="Authentication Failed" icon="triangle-exclamation">
    **Possible causes:**

    * Client ID, Tenant ID, or Client Secret copied incorrectly
    * Client secret has expired
    * Service principal was deleted or disabled

    **Solution:**

    * Verify all credentials are copied correctly (no extra spaces)
    * Check the client secret expiration in **Certificates & secrets**
    * Confirm the application still exists in Entra ID and the Tenant ID matches your directory
  </Accordion>

  <Accordion title="Permission Denied" icon="lock">
    **Possible causes:**

    * The application is missing the **Microsoft Sentinel Reader** or **Log Analytics Reader** role
    * The role was assigned at the wrong scope
    * Role assignment has not finished propagating

    **Solution:**

    * Confirm both roles are assigned to the application's service principal on the workspace (or a parent scope)
    * Allow a few minutes for the assignment to propagate
    * Verify the Subscription ID, Resource Group, and Workspace Name match the workspace you granted access to
  </Accordion>

  <Accordion title="No Alerts Appearing" icon="bell-slash">
    **Possible causes:**

    * The workspace is not connected to the Microsoft Defender portal
    * No alerts exist in the lookback window

    **Solution:**

    * Connect the workspace to the [Microsoft Defender portal](https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-sentinel-onboard) — required for alert retrieval
    * Confirm alerts are present in Sentinel for the sync period
  </Accordion>

  <Accordion title="No Events Appearing" icon="database-slash">
    **Possible causes:**

    * The configured **Default Tables** do not exist in the workspace
    * The application lacks **Log Analytics Reader**
    * No events in the configured tables for the lookback window

    **Solution:**

    * Verify the table names against your workspace schema (**Log Analytics → Logs → Tables**)
    * Leave **Default Tables** blank to fall back to the ASIM-normalized set
    * Confirm **Log Analytics Reader** is assigned to the application
  </Accordion>

  <Accordion title="Wrong Cloud Deployment" icon="globe">
    **Possible causes:**

    * Targeting a sovereign cloud (GovCloud, China) without custom URLs

    **Solution:**

    * For commercial Azure, leave **Logs URL** and **Management URL** blank
    * For sovereign clouds, set both per the "Alternate Microsoft Clouds" section above
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Least Privilege Access" icon="shield-halved">
    Assign only **Microsoft Sentinel Reader** and **Log Analytics Reader** — this integration never writes to your workspace.
  </Card>

  <Card title="Scope the Role Assignment" icon="crosshairs">
    Assign roles at the workspace scope rather than the subscription unless you connect multiple workspaces.
  </Card>

  <Card title="Rotate Secrets Regularly" icon="rotate">
    Set short expiration periods for client secrets and rotate them before expiry. Create the new secret before deleting the old one.
  </Card>

  <Card title="Secure Secret Storage" icon="lock">
    Store the client secret in a secrets vault. Never commit it to version control.
  </Card>

  <Card title="Dedicated Application" icon="user-shield">
    Use an Entra ID application dedicated to RAD Security rather than sharing one across integrations.
  </Card>

  <Card title="Monitor Application Activity" icon="chart-line">
    Review the service principal's sign-in and Azure activity logs to detect anomalous behavior.
  </Card>
</CardGroup>

## Additional Resources

<CardGroup cols={2}>
  <Card title="Onboard Microsoft Sentinel" icon="book" href="https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard">
    Official Microsoft documentation for enabling Microsoft Sentinel
  </Card>

  <Card title="Create an Entra Application" icon="microsoft" href="https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal">
    Microsoft documentation for creating an application and service principal
  </Card>

  <Card title="Assign Azure Roles" icon="shield-halved" href="https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal">
    Microsoft documentation for assigning Azure RBAC roles
  </Card>

  <Card title="ASIM Schemas" icon="table" href="https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-schemas">
    Microsoft documentation for the Advanced Security Information Model
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="SIEM Integrations Overview" icon="chart-line" href="/rad-security/integrations/siem/overview">
    Explore other SIEM integration options
  </Card>

  <Card title="Runtime Security" icon="shield" href="/rad-security/integrations/runtime-security">
    Learn what runtime events RAD Security correlates with your SIEM data
  </Card>

  <Card title="Threat Models" icon="crosshairs" href="/rad-security/security-and-compliance/overview">
    Understand how threats are detected and classified
  </Card>

  <Card title="Alerts & Incidents" icon="bell" href="/rad-security/platform/workspace">
    Configure alert rules and review incidents in your workspace
  </Card>
</CardGroup>