Skip to main content
All CollectionsIntegrate EverythingMicrosoft
Microsoft Sentinel
Microsoft Sentinel

Learn to create a Microsoft Sentinel Step integration in Torq, including APP registration in Entra ID (formerly Azure AD)

Updated over 2 months ago

Create Microsoft Sentinel Step Integration in Torq

  1. Create a new APP Registration in Entra ID.

  2. Add the following required API permissions:

    1. Log Analytics API: Data.Read

    2. Microsoft Graph: SecurityIncident.ReadWrite.All or SecurityIncident.Read

    3. Microsoft Graph: User.Read

      2.png

  3. Copy the following information from App Registration into a secure location; you will need it when you create the integration in Torq:

    1. Application (client) ID

    2. Directory (tenant) ID

    3. Client credentials

  4. Copy the following from your Sentinel Deployment settings:

    1. Subscription ID

    2. Workspace Name

    3. Workspace ID

  5. Grant your app registration access to your Microsoft Sentinel subscription to be able to read and write incidents.

  6. Navigate to your Azure Subscriptions and select the subscription where your Azure Sentinel workspaces are active.

  7. Select Microsoft Incident Responder role.

  8. In the members section, select the App Registration, which was previously created

  9. Add the app as a member of the Microsoft Incident Responder role under Access Control (IAM)

  10. Click Save.

Create Microsoft Sentinel Step Integration in Torq

  1. Go to Build > Integrations > Steps > Microsoft Sentinel, and click Add.

  2. Give the integration a unique and meaningful name.

  3. Paste the Tenant ID from step 3b.

  4. Paste the Application Client ID from step 3a.

  5. Paste the Application Client Secret from step 3c.

  6. Paste the Subscription ID from step 4a.

  7. Click Add.

Related Articles
Set Up Torq SSO: Microsoft Entra ID
Azure
Microsoft Graph
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template
Microsoft Defender for Endpoint
Did this answer your question?