Documentation

Microsoft Sentinel

Suggest Edits

Set up Audit Logs Webhooks

The following steps are required to connect your Microsoft Sentinel instance to Entitle.

Prerequisites

  • The required permissions in the BeyondTrust Product to configure the integration are:
    1. Access to an Entitle tenant.
    2. Admin permissions in the Entitle tenant.
  • The required permissions and access levels in Microsoft Azure to configure the integration are:
    1. Access to a Microsoft Azure tenant with an Azure Sentinel subscription.
    2. A user account with sufficient privileges to create a Logic App and a Microsoft Sentinel Log Analytics Workspace.
      • To create a new Logic App, refer to this guide.
      • To create a Log Analytics Workspace, refer to this guide.

Stage 1: Configure a Logic App in Microsoft Sentinel

  1. Log in to the Azure Portal and select Create a resource from the left-side navigation menu.
Screenshot of create a resource button

  1. Search for Logic App in the search bar and tick the Azure services only option to simplify the results. Press the Enter key when you are done.

    Screenshot of search for logic app in the search bar

  2. On the Logic App item, click Create, then select the Logic App option from the dropdown menu.

    Screenshot of create and select the logic app option

  3. Select a hosting plan from the three available options on the new screen. The default Workflow Service Plan under the Standard hosting options section is suitable unless your organization requires an alternative. After selecting, click the Select button in the bottom-left corner.

    Screenshot of choosing a hosting plan

  4. Complete the Create Logic App process according to your requirements by navigating through the different sections: Basics, Storage, Networking, Monitoring, Tags, and Review + create, which is the final step. Keep in mind that the creation process may take a few minutes.

    Note: The default choices in each section are sufficient for this integration.

    Screenshot of creating logic app details to fill in

  5. Select the Logic App item (identified by the Logic App (Standard) entry in the Type column) from your Resources group.

    Screenshot of selecting the logic app item from the resources group

  6. Select Workflows from the left-side menu. Then, click Add and choose Add again.

    Screenshot on how to add a workflow

  7. Provide a name for the workflow (e.g., Inbound-Webhook) and select the Stateless option in the State type section. Finally, click Create.

    Screenshot of creating a new workflow details

  8. Select your newly created Workflow, expand the Developer menu, and select Designer. Then, click the Add a trigger button in the center of the screen.

Screenshot of adding a trigger

  1. In the Add a trigger fly-out menu, search for HTTP Request,, and select the When an HTTP request is received item.

  2. Paste the JSON schema into the Request Body JSON Schema field in the new side-screen.

    Screenshot of the request body JSON schema field

Here is the schema value:

{
    "type": "array",
    "items": {
        "type": "object",
        "properties": {
            "id": {
                "type": "string"
            },
            "timestamp": {
                "type": "integer"
            },
            "context": {
                "type": "object",
                "properties": {
                    "organization": {
                        "type": "object",
                        "properties": {
                            "id": {
                                "type": "string"
                            },
                            "name": {
                                "type": "string"
                            }
                        },
                        "required": ["id", "name"]
                    }
                },
                "required": ["organization"]
            },
            "data": {
                "type": "object"
            },
            "actor": {
                "anyOf": [{
                        "type": "null"
                    }, {
                        "type": "object",
                        "properties": {
                            "type": {
                                "type": "string"
                            },
                            "user": {
                                "type": "object",
                                "properties": {
                                    "id": {
                                        "type": "string"
                                    },
                                    "email": {
                                        "type": "string"
                                    },
                                    "name": {
                                        "type": "string"
                                    }
                                },
                                "required": ["id", "email", "name"]
                            }
                        },
                        "required": ["type", "user"]
                    }
                ]
            },
            "action": {
                "type": "string"
            },
            "entity": {
                "type": "object",
                "properties": {
                    "type": {
                        "type": "string"
                    }
                },
                "required": ["type"]
            }
        },
        "required": ["id", "timestamp", "context", "action"]
    }
}

  1. Once done, click the "+" icon below When an HTTP request is received trigger, select Add an action.

    Screenshot of adding an action

  2. In the Add an action fly-out menu, search for Parse JSON, and select the Parse JSON item.

    Screenshot of adding an action details screen

  3. Place your cursor over the Content section and select the option to Insert expression.

    Screenshot of inserting an expression

    Select the Dynamic content heading from the fly-out panel. Then, select When an HTTP request is received and select the Body item (you may need to further select See more to reveal this item). Finally, click Add.

    Screenshot of details of Parse JSON screen

  4. Paste the same schema content used for step 11 into the Parse JSON configuration, under the Schema section.

    Screenshot of schema section

  5. Select the “+” icon below the Parse JSON trigger, and select Add an action.

    Screenshot of add an action button

  6. In the Add an action fly-out menu, search for Send Data,, and select the Send Data item for Azure Log Analytics Data Collector from the list.

    Screenshot of send data section

  7. In the Send Data screen, you will need to create a new Connection, using the Workspace ID and Workspace Key data from the Log Analytics Workspace you wish to send the data to:

    1. If you do not already have the ID and Key, you can retrieve them from your Log Analytics Workspace: Navigate to the Agents tab and copy the Workspace ID and Primary key values found under the Download agent section.

      Screenshot of agents tab

    2. If you already have the Workspace ID and Workspace key values, enter them in the Create connection screen, along with a Name for it. Then, click Create New.

      Screenshot of send data section details

  8. Place your cursor over the JSON Request Body section and select the option to Insert expression.

    Screenshot of JSON request body section

    From the fly-out panel, select the Dynamic content section. Choose Parse JSON, then select the Body item (you might need to click See more to reveal this option). Finally, click Add.

    Screenshot of send data details screen

  9. In the Custom Log Name section, choose a Name for your Custom Log.

    Screenshot of choosing a custom log name

  10. Click the Save button to complete the process. This may take a few moments.

  11. Click the When an HTTP request is received trigger.

    The HTTP URL value should now be populated and can be copied as-is for the next stage - Creating Audit log webhooks in Entitle.

    Screenshot of the HTTP URL value and how to copy it

Stage 2: Create Audit Log webhook in Entitle

  1. Log in to Entitle and navigate to the Org Settings screen.
  2. Scroll down to the Audit Logs Webhooks section. To add an Audit Log Webhook, click the Add button in the top-right corner.
  3. In the row that appears, you will need to fill in only the URL you just copied under the Webhook URL section. Finally, click Save. Note: you don’t need to change the Headers or Additional Audit Log Parameters sections.
    This should be the final result (except the URL should be yours).
Screenshot of the audit log webhook section filled in

View Entitle Audit Logs in Microsoft Sentinel

  1. It will take a few moments for the audit logs configuration to fully propagate through the infrastructure and for the audit logs to appear in Microsoft Sentinel.

  2. To view the raw logs, expand the Monitoring tab and select Workbooks in your Log Analytics Workspace. Then, to create a new workbook, select New.

  3. In the Log Analytics Workspace Logs (Analytics) Query field, enter the custom log name supplied when configuring the Send Data action in Stage 1 step 20, and choose how to visualize the data. For example:

    Screenshot of the final result

Updated about 2 months ago