Microsoft Sentinel is a Microsoft Sentinel that can help you {USE CASE}.
Torq enables quick and easy integration with Microsoft Sentinel, so you can automate anything and everything within moments. Torq's public Microsoft Sentinel steps include:
Append Tags to Indicator
Create or Update Incident
Delete Incident Comment
Get Incident
+16 more...
As always, if you don't see a step you need, you can create your own steps using Torq's custom step builder and share them within your workspace or organization.
Use Microsoft Sentinel to Trigger Workflows in Torq
Step One: Create a Microsoft Sentinel Trigger Integration in Torq
Navigate to Integration: Go to Build > Integrations > Triggers > Microsoft Sentinel and click Add.
Fill in the Details:
Give the integration a unique and meaningful name.
Click Add under Authentication Headers. Click Generate Secret.
Give the secret a name, such as
Secret
orBearer
.Copy the generated secret to a secure place to use later.
Finalize: Click Add.
Copy: Copy the Webhook URL generated.
Step Two: Add the Playbook from Sentinel's Content Hub
Content Hub: Go to your desired Sentinel instance and navigate to Content Management > Content Hub.
Search: Search for Torq and click on the Playbook Trigger Torq Workflows from Microsoft Sentinel Incidents.
Manage: Once the playbook is installed in your instance, click it again and click Manage, and then Configuration.
Create Playbook: Navigate to the new playbook and click Create playbook.
Select the subscription you would like to use.
Choose the relevant resource group.
Give the playbook a unique and meaningful name.
Click Next.
In Parameters, paste the webhook created earlier in Torq.
Write the Header Name you gave the authentication header.
Paste the Authentication Secret you generated earlier in Torq.
Click Next.
Click Next: Review and create.
Click Create playbook.
Next Step: Follow Step Three to finalize your new trigger.
Step Three: Add an Automation Rule
Navigate to Microsoft Sentinel Workspace: Go to your Microsoft Sentinel workspace > Configuration > Automation.
Create a New Automation Rule: Click Create > Automation Rule.
Name the automation rule, such as
Notify Torq when new Sentinel Incident is created
From the Trigger drop-down, select When incident is created.
Leave Conditions at default values.
From the Actions drop-down, select Run playbook.
From the playbook selection, choose the playbook you added earlier.
Click Apply.
Repeat: Optionally, repeat the steps of Step Three, but under Trigger in Step 2b, select When incident is updated instead of When incident is created. Follow all other instructions as before.
Now that you've successfully created a Microsoft Sentinel trigger, you can build your first Microsoft Sentinel-initiated workflow!
In Torq, go to Build > Workflows > Create a Workflow > New Blank Workflow, and select the trigger type: Integrations > Microsoft Sentinel. Find your new trigger, and automate away!
Use Microsoft Sentinel Steps in Torq
Step One: Create an Application in Microsoft Azure
In Microsoft Azure: Go to your Azure portal and click App registrations.
New Application: Click New registration and fill out the information.
Give the application a unique and meaningful name.
Give the account access
Accounts in this organization directory only
You do not need to enter a redirect URL.
Create Application: Click Register.
Grant Permissions: Under Manage, click API permissions. You will want to grant the application permissions here, depending on which Torq steps you want to use.
Go to Add a permission, and click Microsoft Graph.
Click Application permissions.
Add the following required API permissions:
Log Analytics API: Data.Read
Microsoft Graph: SecurityIncident.ReadWrite.All or SecurityIncident.Read
Microsoft Graph: User.Read
Go to Overview: Copy the following information from the Overview into a secure location; you will need it when you create the integration in Torq:
Go to Sentinel: In your Sentinel instance, go to Copy the following from your Sentinel Deployment settings:
Grant Permissions: Navigate to your Azure Subscriptions and select the subscription where your Azure Sentinel workspaces are active. Click the relevant subscription.
Access control (IAM): Go to the access control within the subscription and select the Microsoft Incident Responder role.
Add Member: In the members section, select the App Registration that you created earlier to give it the Microsoft Incident Responder role.
Finalize: Click Save.
Step Two: Create Microsoft Sentinel Step Integration in Torq
Navigate to Integration: Go to Build > Integrations > Steps > Microsoft Sentinel, and click Add.
Fill in Details:
Give the integration a unique and meaningful name.
Paste the Tenant ID from step 3b.
Paste the Application Client ID from step 3a.
Paste the Application Client Secret from step 3c.
Paste the Subscription ID from step 4a.
Save: Click Add.