Overview

Introduction

Microsoft Sentinel offers various ways to consume data from different sources. As Admin By Request provides public REST APIs for pulling Auditlog and Events data (see the API documentation here), it’s an easy task to leverage the power of Azure Logic Apps to consume the APIs and forward each new entry to an Azure Log Analytics Workspace for further Sentinel consumption.

We’ve created an Azure Logic App that requires very few changes before having you up and running with Admin By Request Auditlog and Events data in your Microsoft Sentinel setup. This manual provides a step-by-step guide on how to configure the integration.

Assumptions

The tasks described in this manual assume that the user has access to their Azure Portal, Admin By Request Portal, and some familiarity with both environments.

Prerequisites

To enable this integration, you must first:

  1. Obtain your Admin By Request API Key. This key can be self-generated through your Admin By Request Portal via Settings > Tenant Settings > API Keys > API KEYS:

    NOTE

    Remember to click the Save button after regenerating an API Key to ensure this is the key used to establish the connection to Azure. A green tick icon appears next to the Save button when the action is complete.

  2. Make sure you have access to a Microsoft Sentinel Log Analytics Workspace to store your audit log entries.

Integration JSON Code

You will also need some JSON code to configure the API. Find the JSON code for this integration at the following links:

Why Integrate Microsoft Sentinel?

Microsoft Sentinel is Microsoft’s scalable, cloud-native, SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution.

Many customers use Microsoft Sentinel for SIEM tasks and so we offer a public REST API to our customers as part of their Admin By Request license, providing the ability to pull data into their own SIEM systems for further analysis.

What the Integration Offers

With this integration, we’ve set up a hassle-free way to send Auditlog and Events data from your User Portal to Microsoft Sentinel using Azure Logic Apps. It’s quick, painless, and ensures you get the best of both worlds: comprehensive user data combined with Sentinel’s intelligent security analysis and threat detection capabilities:

How it Works

Microsoft Sentinel offers various ways to consume data from different sources. For this integration, we leverage the power of Azure Logic Apps to consume the Admin By Request Auditlog and Events APIs and forward each new entry to an Azure Log Analytics Workspace for further Sentinel consumption:

Refer to Auditlog Data for full details on each of these Azure Logic App steps.

The Azure Logic App requires only a few simple changes before having you up and running with the appropriate data in your Sentinel setup. You can then point your Sentinel setup to use the configured workspace as a data source.

Something Missing?

If you’ve identified a bug or have a suggestion for this integration, or another SIEM integration you’d like us to add, contact us here and we’ll see what we can do.

NOTE

The task descriptions in these pages (and screenshots in particular) cover the state of Microsoft Sentinel at the time of writing. While every effort is made to ensure currency, the screens you see during setup may look a little different, especially color schemes and the placement of buttons and links.

Integration Tasks

Remaining pages in the IT Admin Guide section describe two groups of tasks; one group for Auditlog Data and the other for Events Data.