openshift · agantony · Nov 7, 2024 · Oct 18, 2024
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -320,6 +320,8 @@ Topics:
   File: integrate-with-cloud-management-platforms
 - Name: Integrating using short-lived tokens
   File: integrate-using-short-lived-tokens
+- Name: Integrating with Microsoft sentinel notifier
+  File: integrating-with-microsoft-sentinel-notifier
 ---
 Name: Backup and restore
 Dir: backup_and_restore

diff --git a/integration/integrating-with-microsoft-sentinel-notifier.adoc b/integration/integrating-with-microsoft-sentinel-notifier.adoc
@@ -0,0 +1,12 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="integrating-with-microsoft-sentinel-notifier"]
+= Integrating with Microsoft sentinel notifier
+include::modules/common-attributes.adoc[]
+:context: integrate-with-sentinel
+
+toc::[]
+
+Microsoft sentinel is a security information and event management (SIEM) solution which acts on {rh-rhacs-first} alerts and audit logs.
+
+//Viewing the log analytics to detect threats
+include::modules/viewing-the-log-analytics-to-detect-threats.adoc[leveloffset=+1]
diff --git a/modules/viewing-the-log-analytics-to-detect-threats.adoc b/modules/viewing-the-log-analytics-to-detect-threats.adoc
@@ -0,0 +1,81 @@
+// Module included in the following assemblies:
+//
+// * integration/integrating-with-microsoft-sentinel-notifier.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="viewing-the-log-analytics-to-detect-threats_{context}"]
+= Viewing the log analytics to detect threats
+
+By creating a Microsoft sentinel integration, you can view the log analytics to detect threats.
+
+.Prerequisites
+
+* You have created a data collection rule, log analytics workspace, and service principal on Microsoft Azure.
+* You have configured a client secret or client certificate at the service principal for authentication.
+* You have created a log analytics schema by using the `TimeGenerated` and `msg` fields in JSON format.
++
+[IMPORTANT]
+====
+You need to create separate log analytics tables for audit logs and alerts, and both data sources use the same schema.
+====
+
+** To create a schema, upload the following content to Microsoft sentinel: 
++
+.Example JSON
+[source,json]
+----
+{
+ "TimeGenerated": "2024-09-03T10:56:58.5010069Z", # <1>
+ "msg": {  # <2>
+   "id": "1abe30d1-fa3a-xxxx-xxxx-781f0a12228a", # <3>
+   "policy" : {}
+ }
+}
+----
++
+--
+<1> The timestamp for the alert.
+<2> Contains the message details.
+<3> The payload of the message, either alert or audit log.
+-- 
+
+.Procedure
+
+. In the {product-title-short} portal, click *Platform Configuration* -> *Integrations*.
+. Scroll down to the *Notifier Integrations* section, and then click *Microsoft Sentinel*.
+. To create a new integration, click *New integration*.
+. In the *Create integration* page, provide the following information:
+** *Integration name*: Specify a name for the integration.
+** *Log ingestion endpoint*: Enter the data collection endpoint. You can find the endpoint in the Microsoft Azure portal.
++
+For more information, see link:https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview[Data collection rules (DCRs) in Azure Monitor] (Microsoft Azure documentation).
+** *Directory tenant ID*: Enter the tenant ID which uniquely identifies your Azure Active Directory (AAD) within the Microsoft cloud infrastructure. You can find the tenant ID in the Microsoft Azure portal.
++
+For more information, see https://learn.microsoft.com/en-us/azure/active-directory-b2c/tenant-management-read-tenant-name[Find tenant name and tenant ID in Azure Active Directory B2C] (Microsoft Azure documentation).
+** *Application client ID*: Enter the client ID which uniquely identifies the specific application registered within your AAD that needs access to resources. You can find the client ID in the Microsoft Entra portal for the service principal you have created.
++
+For more information, see link:https://learn.microsoft.com/en-us/security/zero-trust/develop/app-registration[Register applications] (Microsoft Azure documentation).
+** Choose the appropriate authentication method:
+*** If you want to use a secret, enter the secret value. You can find the secret in the Microsoft Azure portal.
+*** If you want to use a client certificate, enter the client certificate and private key. You can find the certificate ID and private key in the Microsoft Azure portal.
++
+For more information, see link:https://learn.microsoft.com/en-us/azure/active-directory-b2c/app-registrations-training-guide[The new App registrations experience for Azure Active Directory B2C] (Microsoft Azure documentation).
+** Optional: Choose the appropriate method to configure the data collection rule configuration:
+*** Select the *Enable alert DCR* checkbox, if you want to enable the alert data collection rule configuration. 
++
+To create an alert data collection rule, enter the alert data collection rule stream name and ID. You can find the stream name and ID in the Microsoft Azure portal.
+*** Select the *Enable audit log DCR* checkbox, if you want to enable audit data collection rule configuration. 
++
+To create an audit data collection rule, enter the stream name and ID. You can find the stream name and ID in the Microsoft Azure portal. 
++
+For more information, see link:https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview[Data collection rules (DCRs) in Azure Monitor] (Microsoft Azure documentation).
+
+. Optional: To test the new integration, click *Test*.
+. To save the new integration, click *Save*.
+
+.Verification
+
+. In the {product-title-short} portal, click *Platform Configuration* -> *Integrations*.
+. Scroll down to the *Notifier Integrations* section,  and then click *Microsoft Sentinel*.
+. In the *Integrations Microsoft Sentinel* page, verify that the new integration has been created.
+. Verify that the messages receive the correct log tables in your log analytics workspace.