Skip to main content
All CollectionsIntegrate EverythingMicrosoft
Microsoft Sentinel
Microsoft Sentinel

Learn to create a Microsoft Sentinel Step integration in Torq, including APP registration in Entra ID (formerly Azure AD)

Updated over a week ago

Microsoft Sentinel is a Microsoft Sentinel that can help you {USE CASE}.

Torq enables quick and easy integration with Microsoft Sentinel, so you can automate anything and everything within moments. Torq's public Microsoft Sentinel steps include:

  • Append Tags to Indicator

  • Create or Update Incident

  • Delete Incident Comment

  • Get Incident

  • +16 more...

As always, if you don't see a step you need, you can create your own steps using Torq's custom step builder and share them within your workspace or organization.

To trigger a Torq workflow based on events sent from Microsoft Sentinel, look here.

To use Microsoft Sentinel steps in Torq workflows, look here.

Use Microsoft Sentinel to Trigger Workflows in Torq

Step One: Create a Microsoft Sentinel Trigger Integration in Torq

  1. Navigate to Integration: Go to Build > Integrations > Triggers > Microsoft Sentinel and click Add.

  2. Fill in the Details:

    1. Give the integration a unique and meaningful name.

    2. Click Add under Authentication Headers. Click Generate Secret.

      1. Give the secret a name, such as Secret or Bearer.

      2. Copy the generated secret to a secure place to use later.

  3. Finalize: Click Add.

  4. Copy: Copy the Webhook URL generated.

Step Two: Add the Playbook from Sentinel's Content Hub

  1. Content Hub: Go to your desired Sentinel instance and navigate to Content Management > Content Hub.

  2. Search: Search for Torq and click on the Playbook Trigger Torq Workflows from Microsoft Sentinel Incidents.

    1. Click Install.

  3. Manage: Once the playbook is installed in your instance, click it again and click Manage, and then Configuration.

  4. Create Playbook: Navigate to the new playbook and click Create playbook.

    1. Select the subscription you would like to use.

    2. Choose the relevant resource group.

    3. Give the playbook a unique and meaningful name.

    4. Click Next.

    5. In Parameters, paste the webhook created earlier in Torq.

    6. Write the Header Name you gave the authentication header.

    7. Paste the Authentication Secret you generated earlier in Torq.

    8. Click Next.

    9. Click Next: Review and create.

    10. Click Create playbook.

  5. Next Step: Follow Step Three to finalize your new trigger.

Step Three: Add an Automation Rule

  1. Navigate to Microsoft Sentinel Workspace: Go to your Microsoft Sentinel workspace > Configuration > Automation.

  2. Create a New Automation Rule: Click Create > Automation Rule.

    1. Name the automation rule, such as Notify Torq when new Sentinel Incident is created

    2. From the Trigger drop-down, select When incident is created.

    3. Leave Conditions at default values.

    4. From the Actions drop-down, select Run playbook.

    5. From the playbook selection, choose the playbook you added earlier.

    6. Click Apply.

  3. Repeat: Optionally, repeat the steps of Step Three, but under Trigger in Step 2b, select When incident is updated instead of When incident is created. Follow all other instructions as before.

Now that you've successfully created a Microsoft Sentinel trigger, you can build your first Microsoft Sentinel-initiated workflow!

In Torq, go to Build > Workflows > Create a Workflow > New Blank Workflow, and select the trigger type: Integrations > Microsoft Sentinel. Find your new trigger, and automate away!

Use Microsoft Sentinel Steps in Torq

Step One: Create an Application in Microsoft Azure

  1. In Microsoft Azure: Go to your Azure portal and click App registrations.

  2. New Application: Click New registration and fill out the information.

    1. Give the application a unique and meaningful name.

    2. Give the account access Accounts in this organization directory only

    3. You do not need to enter a redirect URL.

  3. Create Application: Click Register.

  4. Grant Permissions: Under Manage, click API permissions. You will want to grant the application permissions here, depending on which Torq steps you want to use.

    1. Go to Add a permission, and click Microsoft Graph.

    2. Click Application permissions.

    3. Add the following required API permissions:

      1. Log Analytics API: Data.Read

      2. Microsoft Graph: SecurityIncident.ReadWrite.All or SecurityIncident.Read

      3. Microsoft Graph: User.Read

    2.png

  5. Go to Overview: Copy the following information from the Overview into a secure location; you will need it when you create the integration in Torq:

    1. Application (client) ID

    2. Directory (tenant) ID

    3. Client credentials

  6. Go to Sentinel: In your Sentinel instance, go to Copy the following from your Sentinel Deployment settings:

    1. Subscription ID

    2. Workspace Name

    3. Workspace ID

  7. Grant Permissions: Navigate to your Azure Subscriptions and select the subscription where your Azure Sentinel workspaces are active. Click the relevant subscription.

  8. Access control (IAM): Go to the access control within the subscription and select the Microsoft Incident Responder role.

  9. Add Member: In the members section, select the App Registration that you created earlier to give it the Microsoft Incident Responder role.

  10. Finalize: Click Save.

Step Two: Create Microsoft Sentinel Step Integration in Torq

  1. Navigate to Integration: Go to Build > Integrations > Steps > Microsoft Sentinel, and click Add.

  2. Fill in Details:

    1. Give the integration a unique and meaningful name.

    2. Paste the Tenant ID from step 3b.

    3. Paste the Application Client ID from step 3a.

    4. Paste the Application Client Secret from step 3c.

    5. Paste the Subscription ID from step 4a.

  3. Save: Click Add.

Related Articles
Microsoft 365 Graph Subscription
Microsoft Forms
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template
Microsoft 365 Defender
Microsoft 365
Did this answer your question?