This article provides prerequisites and onboarding steps for Microsoft Sentinel.

 

About connecting your device

Expel uses API integrations to connect directly to the Microsoft Azure platform. We support authentication through an Microsoft Entra ID app. To collect data, Workbench communicates directly with APIs, including the Microsoft Security Graph API to poll alerts from Microsoft Sentinel. Workbench also queries Azure Log Analytics to enrich Sentinel alerts with the Azure Log Analytics context that originally generated that alert.

 

Before you start

Before getting started, make sure you have a Microsoft Entra ID admin on hand to grant permissions.

 

About console permissions in your devices

As you connect your devices to Workbench, you provide Workbench access to those devices through permissions in the devices. These permissions vary from 1 device technology to another, but we typically need at least Read access to your devices to pull in any logs from those devices into Workbench.

Without minimum permissions to your devices, the SOC analysts are limited in their insight into your technology. This can mean they surface more benign alerts to your team for further investigation, resulting in increasing the workload for your team, and resulting in alert fatigue.

If you grant Read access to your devices, we can investigate the device and the logs more deeply and surface relevant alerts to you in Workbench. Allowing Expel visibility into the console of your security devices helps our SOC analysts make better decisions on whether an alert is benign or malicious. It also allows our SOC analysts to perform health checks to make sure Workbench is not missing alerts from your security devices. Depending on what your organization purchased from Expel, the SOC analysts may even be able to contain and/or remediate the issues on your behalf.

Ultimately, the more permissions you can grant Workbench, the better and faster the SOC analysts can find and investigate alerts in your environment.

Step 1: Enable console access

  1. Sign in to the Azure portal as a user who's assigned a limited administrator directory role or the Guest Inviter role.

  2. In the navigation pane, select Microsoft Entra ID.

  3. Under Manage, select Users > New guest user.

  4. On the New user page, select Invite user, fill out the email address (expel_analyst@expel.io), and optionally include a message.

  5. Under roles, add the Global Reader role.

  6. Select Invite to automatically send the invitation to the guest user.

  7. After you send the invitation, the user account is automatically added to the directory as a guest.

Step 2: Enable API access for Workbench

To integrate Microsoft Sentinel with Workbench, we need to create secure credentials to the API. You have 2 options for enabling API access:

  • Option 1: Enabling the Expel Azure Integration Enterprise Application within Azure

  • Option 2: Creating a custom Microsoft Entra ID Application

In most cases, enabling the Enterprise Application (option 1) is the recommended approach. However, because Enterprise Application supports access for multiple Microsoft integrations (Azure, Microsoft Sentinel, Azure Log Analytics, and so on), the permissions granted to the Enterprise Application can be more than the minimum required for the Microsoft Sentinel integration alone.

The second option is for cases where the absolute minimum permissions are required. In either case, the table below lists the required items that should be obtained during this step:

Item we need

Description

Azure Directory

(Tenant) ID

A unique identifier for your Azure instance. Workbench needs this information to route our API requests to the right place.

Application (client) ID

(Option 2 only)

A unique identifier for the application you create that grants Workbench the access it needs to your Azure instance.

Application (client) Secret

(Option 2 only)

The API secret that allows Workbench to authenticate as the created application to your Azure instance.

Option 1: Enable the Expel Azure Integration Enterprise Application within Azure

  1. As an Administrator, navigate to the Expel Admin Consent Page.

  2. Review and accept requested permissions.

  3. The Expel Azure Integration app should now appear under Enterprise Applications. Review properties and make sure that all permissions are properly granted. These permissions are:

    This permission...

    allows this...

    User.Read

    Users to sign in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

    SecurityEvents.Read.All

    The app to read your organization’s security events without a signed-in user.

    User.ReadWrite.All

    The app to read and update user profiles without a signed-in user.

    Note: Write permissions are required for disabling and resetting user credentials as part of Expel's remediation capabilities.

    User.ReadAll

    The app to read user profiles without a signed in user.

    Data.Read

    This application to access Log Analytics data.

Write down the Directory (Tenant) ID when viewing the ExpelAzure Integration application for use in later steps.

Option 2: Create custom Microsoft Entra ID application

  1. As an Azure administrator, log in to the Azure Portal and open Microsoft Entra ID.

  2. Navigate to App registrations and create a new app by clicking + New registration.

  3. Fill in the application details. You can fill these in however you want, but we recommend the following:

    • Name: Expel Cloud Service.

    • Supported account types: Accounts in this organizational directory only (first option).

  4. After you fill out the fields, click Register to create the new application.

  5. The Settings page opens for the Expel Cloud Service app you just created.

    If not, navigate to App Registrations > View all applications (if you don’t see the new app) > Expel Cloud Service.

    • Make a note of the Application (Client) ID and the Directory (Tenant) ID for use in later steps.

  6. Open API permissions. Click + Add a permission. Add these permissions.

    In APIs my organization uses, locate this permission...

    select this value and click + Add permissions.

    type Log Analytics and select Log Analytics API > Application Permissions.

    Data.Read

    type Microsoft Graph and select Microsoft Graph > Application Permissions.

    SecurityEvents.Read.All

  7. Click APIs my organization uses, type Log Analytics and select Log Analytics API > Application Permissions.

  8. After permissions are assigned, click Grant admin consent, and Yes at the prompt.

  9. Navigate to Expel Cloud Service>Certificates & secrets to begin creating an API key (aka client secret). To create a new key, click + New client secret.

    • Add a description for the secret (for example, ExpelAPI) and select Never for expiration. Click Add to create the secret.

    • You see a new client secret (API Key) appear under Client secrets. Copy the value and ID and save it for later. It disappears after you navigate away from this screen.

Step 3: Enable Azure Log Analytics access

Microsoft Sentinel can be run on top of multiple Azure Log Analytics workspaces. These workspaces are used as data stores for the Microsoft Sentinel service. Querying these Azure Log Analytics workspaces allows Expel to enrich Microsoft Sentinel alerts with the Azure Log Analytics context that originally generated that alert.

To view all Azure Log Analytics workspaces associated with Microsoft Sentinel, navigate to the Microsoft Sentinel blade within the Azure Portal.

The Azure Log Analytics Reader role must be given to the Microsoft Entra ID application created in Step 2 for each of the Microsoft Sentinel-enabled Azure Log Analytics workspaces to be monitored. Access can be granted in 2 ways or through some combination.

  • Option 1: Per individual Azure Log Analytics workspace.

  • Option 2: For all workspaces within an Azure subscription.

Tip

The Expel Microsoft Sentinel integration only monitors Microsoft Sentinel running on top of Log Analytic workspaces that it's allowed to read from. If Microsoft Sentinel is running on top of a Azure Log Analytics workspace that are not granted permissions through the following steps, it isn't monitored.

Option 1: Enable Azure Log Analytics access per workspace

The following steps outline how to enable Azure Log Analytics Reader role per a single Azure Log Analytics workspace. These steps must be repeated for each monitored Azure Log Analytics workspace:

  1. As an Azure administrator, log in to the Azure Portal.

  2. In the navigation pane, select Azure Log Analytics workspaces.

  3. Click the name of the workspace whose role assignments you want to change.

  4. Click Access Control (IAM) > + Add > Add role assignment.

  5. In the Add role assignment pane set the following fields:

    • Role: Azure Log Analytics Reader.

    • Assign access to: Microsoft Entra ID user, group or application.

    • Select: Search and click the Microsoft Entra ID app created in Step 2.

  6. Repeat these steps for all workspaces to be monitored.

Option 2: Enable Azure Log Analytics access per subscription

The following steps outline how to enable Azure Log Analytics Reader role per an Azure Subscription. Repeat these steps for each monitored Azure Subscription.

  1. As an Azure administrator, log in to the Azure Portal.

  2. In the navigation pane, select Subscriptions.

  3. Click the subscription whose role assignments you want to change.

  4. Click Access Control (IAM) > + Add > Add role assignment.

  5. In the Add role assignment pane set the following fields:

    • Role: Azure Log Analytics Reader.

    • Assign access to: Microsoft Entra ID user, group or application.

    • Select: Search and click the Microsoft Entra ID app created in Step 2.

  6. All Azure Log Analytics workspaces within this subscription can be monitored.

    Repeat these steps for any other subscriptions to be monitored.

Step 4: Configure Microsoft Sentinel in Workbench

Note

Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=azure_sentinel.

  2. Complete all fields using the credentials and information you collected in Step 2 and Step 3.

    Field name

    What to put in it

    Name

    What you want to name the security device.

    Location

    Microsoft Cloud

    Directory (Tenant) ID

    Microsoft Entra ID Tenant/Directory ID

    Application (Client) ID

    (Option 2 only)

    The Azure Application (Client) ID that we saved in Step 2, Option 2.

    Application (Client) Secret

    (Option 2 only)

    The Client (Application) Secret that we saved in Step 2, Option 2.

    Workspace IDs

    (optional)

    This optional field accepts a comma-separated list of Azure Log Analytics workspace IDs. By default, the integration monitors any workspaces which have permissions assigned in Step 3. This field can be used to define a subset of those workspaces that should be monitored. This can be useful when assigning permissions at the Azure subscription level, but you want to only monitor some Microsoft Sentinel workspaces within that subscription.

    To get the Azure Log Analytics workspace ID associated with an Microsoft Sentinel workspace:

    1. Navigate to the Microsoft Sentinel blade within the Azure Portal.

    2. Click the Microsoft Sentinel workspace.

    3. Click Settings > Workspace Settings and the Workspace ID is listed at the top of the Overview.

  3. You can provide console access now or set it up later. Use the instructions below to set it up later.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Azure sentinel