Integration with Microsoft Sentinel

Copy

• Copy for LLM

  Copy page as Markdown for LLMs
• View as Markdown

  Open this page as Markdown
• Open in ChatGPT

  Get insights from ChatGPT
• Open in Claude

  Get insights from Claude
• Connect to Cursor

  Install MCP server on Cursor
• Connect to VS Code

  Install MCP server on VS Code

HiddenLayer provides an integration with Microsoft Sentinel to send AIDR conviction data for alerting and processing.

Companies use security information and event management systems (SIEM) as a way to centralize their security information from multiple sources, like endpoints and applications. HiddenLayer provides an integration with Microsoft Sentinel to send AI Detection & Response (AIDR) conviction data for alerting and processing. Integrating HiddenLayer data with Microsoft Sentinel allows users to manage incidents and make security responses more efficient.

Setup Summary

• Register an application in Azure Entra ID

• Add a Client Secret to the App Registration

• Create a Data Collection endpoint

• Create Custom Log Analytics

  • Includes creating a JSON file; see step 10 in Azure Log Analytics

• Create a Data Collection rule

• Configure integration in the HiddenLayer Console

Azure Configuration Steps

Register an Application in Azure Entra ID

1. In the Azure portal, go to Microsoft Entra ID > App registration.

2. Click New registration.

3. Enter a name for the app registration.

   

4. Click Register.

5. Save the ClientID and Azure Tenant ID for later.

Add Client Secret to App Registration

1. In the app registration you just created, expand Manage in the navigation.

2. Select Certificate and secrets.

3. Click New client secret.

4. Optionally, enter a name for the client secret.

   

5. Click Add.

6. Save the secret value for later.

   Save Secret Value

   This value will not be available once you leave this page. If you leave the page without copying the secret value, you must create a new secret.

   

Create Data Collection Endpoint

1. In the Azure portal, go to Monitor.

   

2. Expand Settings in the navigation.

3. Select Data Collection Endpoints.

4. Click Create.

5. Enter a name for the endpoint.

6. Select a Resource Group.

   

7. Click Review + create.

8. Click Create. It might take a moment for Azure to create the endpoint.

9. Select the endpoint you just created.

10. Click JSON View. The link is in the upper-right of the window.

11. Save the logsIngestion endpoint URL for later.

Azure Log Analytics

1. In the Azure portal, go to Log Analytics workspace.

2. Select an Azure Log Analytics workspace.

3. Expand Settings in the navigation.

4. Select Tables.

   

5. Select Create, then select New custom log (DCR-based).

   

6. Enter a name for the custom log. It is recommended to use the table name HiddenLayerAIDRStage_CL. This name is used in this guide.

   

7. For Data collection endpoint, select the previously created data collection endpoint.

8. Create a data collection rule as part of this process or select an existing one if desired.

9. Click Next.

10. When asked for the schema, use the following sample log template to configure the HiddenLayerAIDRStage_CL table.

    • Create a JSON file, paste the following example into the file, then upload the file.

      { "TimeGenerated": "2024-10-21T00:01:03.123456Z", "conviction_id": "9f891a16-34e6-4e9a-aa5c-22369712e64a", "tenant_id": "80ad8fa2-c1f9-430a-a7b9-ad85a9386d45", "sensor_id": "8d009b0d-75dc-4287-b0d7-b653c51a5ae1", "requester_id": "a_requester_id", "source": "aidr", "detection_category": "A detection category", "attributable_event_id": "8a27bd3e-b7a1-421f-ba43-25f18e595050", "concluding_event_id": "2a4c645e-f08e-41a9-882d-8d22cb4b8e41", "conviction_timestamp": "2024-10-21T00:01:02.123456Z", "mitre": "{ \"Tactic\": { \"UID\": \"AML.TA0001\", \"Name\": \"ML Attack Staging\", \"SrcUrl\": \"https://atlas.mitre.org/tactics/AML.TA001\" }, \"Technique\": { \"UID\": \"AML.T0006\", \"Name\": \"Active Scanning\", \"SrcUrl\": \"https://atlas.mitre.org/tactics/AML.T0006\" } }", "severity": "high", "engine_name": "fuzzy_correlation" }

    

11. Click Next.

12. Click Create.

Data Collection Rule

1. In the Azure portal, go to Data collection rules.

2. Select the data collection rule.

3. Click JSON View.

   • Save the immutableId and dataCollectionEndpointID for later.
   

4. Navigate to the Access Control (IAM) for this data collection rule.

   
   • Select Add > Add role assignment.
   • For Role, give the newly created Entra ID application the Monitor Metrics Publisher role for this data collection rule.
   • For Members, select User, group, or service principal.
   • Click Select members, select the user, group, or service principal to assign access to, then click Select.
   • Click Review + Assign to create the role assignment.
   

Configure Integration in HiddenLayer Console

1. In the HiddenLayer Console, go to the Admin page.

2. Go to the Integrations page.

3. For Azure Sentinel, click the menu (three vertical dots), then select Configure Integration.

   

4. Fill out the fields with the data collected in the Azure Configuration Steps.

   

5. Click Submit.

6. Your AIDR convictions will now be sent to Azure.