Microsoft Sentinel Integration
Connect Microsoft Sentinel (Microsoft Defender XDR) to Mission Control and incident management. Use client credentials (tenant, app, secret) for secure, automatic token management; view incidents and alerts, create SecureHive incidents from alerts, and open incidents in the Azure portal.
Overview
The Microsoft Sentinel integration lets you surface Sentinel incidents and alerts in SecureHive Mission Control and create or link SecureHive incidents for response tracking.
- Client credentials — Tenant ID, Client ID, and Client Secret from your Entra app registration. SecureHive obtains and caches tokens automatically for better security and token management.
- Workspace details — Subscription ID, Resource Group Name, Workspace Name, and Workspace ID from your Log Analytics workspace (Sentinel-enabled).
- ARM-based queries — Log Analytics uses api-version
2017-10-01for regional compatibility.
Use a dedicated app registration for this integration (least privilege). Grant it only the permissions needed for Security Insights and Log Analytics read. Do not reuse your SSO or Microsoft 365 app.
Where to get values in Azure
You need workspace identifiers from the Log Analytics workspace that has Microsoft Sentinel enabled, and (for client credentials) an Entra app registration.
Workspace details (Log Analytics)
In Azure Portal → Log Analytics workspaces (or Microsoft Sentinel → your workspace → Configuration → Settings → Workspace settings). On the workspace Overview, use Essentials:
| Value | Where to find it | Example |
|---|---|---|
| Workspace ID | Overview → Essentials | 7500a910-9127-3eb4-6cf4-66bb549e3d58 |
| Workspace Name | Overview → Essentials | log-hub-01-prod |
| Resource group | Overview → Essentials | rg-hub-01-prod |
| Subscription ID | Overview → Essentials | Subscription GUID |
Client credentials (Entra app registration)
In Microsoft Entra ID → App registrations → New registration (e.g. “SecureHive Sentinel”):
Copy identifiers
On the app Overview, copy the Application (client) ID and Directory (tenant) ID.
Create a client secret
Go to Certificates & secrets → New client secret → copy the Value (store it safely; it is shown only once).
Configure API permissions
Go to API permissions → Add permission → Azure Management API → Application (for client credentials) → add a scope that allows reading Security Insights (e.g. user_impersonation or the appropriate application role). Grant admin consent.
Assign RBAC role
In the subscription, assign the app Reader (or a custom role with Microsoft.SecurityInsights/incidents/read) on the resource group or workspace.
SecureHive setup
Configure the Microsoft Sentinel integration for your tenant in SecureHive.
Open integration settings
In SecureHive, go to Settings → Integrations.
Add the integration
Open the Security Operations card and click Configure (or Add integration).
Set basic fields
Set Integration name (e.g. “Production Sentinel”), Integration type to SIEM, Provider to Azure Sentinel.
Enter connection details
Under Connection (Sentinel), enter your Subscription ID, Resource Group Name, Workspace Name, Workspace ID, Tenant ID, Client ID, and Client Secret.
Configure advanced options
Optionally configure incident auto-creation (e.g. minimum severity for auto-create).
Save and test
Save. Use Test connection if available to verify connectivity.
Mission Control and incidents
After the integration is configured, Mission Control shows Sentinel incidents and alerts. You can create SecureHive incidents and open items in Azure.
- Go to Detection & Response (Security Operations) → Mission Control.
- In the integration dropdown, select your Sentinel integration (e.g. “Production Sentinel (Sentinel)”).
- Sentinel Incidents and Sentinel Alerts tabs show incidents and alerts. Columns include Title, Status, Severity, Assignee, Alerts count, Created, and Actions (Create Incident, Open in Azure).
- Click Create Incident to create a SecureHive incident from that Sentinel incident/alert; it appears under Incident Response.
- Click Open in Azure to open the incident in the Azure/Defender portal (uses the incident’s
incidentUrl). - On the incident detail page in SecureHive, enriched alert cards show description, timestamps, product, and alert ID.
Troubleshooting
No incidents or “Unauthorized” / 403
Confirm the app has Reader (or equivalent) on the resource group/workspace and that API permissions in Entra are granted with admin consent.
Token errors with client credentials
Verify Tenant ID, Client ID, and Client Secret (no extra spaces). Ensure the secret has not expired in Entra (Certificates & secrets).
Workspace or region errors
Subscription ID, Resource Group Name, and Workspace Name must match the Log Analytics workspace (case-sensitive). SecureHive uses the ARM Log Analytics api-version 2017-10-01 for broad regional support; if you see query errors, confirm the workspace is in a supported region.
Open in Azure does not open the right incident
The link uses the incident’s incidentUrl from Sentinel. Ensure you are signed in to the same Azure tenant in the browser.