# Integration with Microsoft Sentinel HiddenLayer provides an integration with Microsoft Sentinel to send AIDR conviction data for alerting and processing. Companies use security information and event management systems (SIEM) as a way to centralize their security information from multiple sources, like endpoints and applications. HiddenLayer provides an integration with Microsoft Sentinel to send AI Detection & Response (AIDR) conviction data for alerting and processing. Integrating HiddenLayer data with Microsoft Sentinel allows users to manage incidents and make security responses more efficient. ## Setup Summary - Register an application in Azure Entra ID - Add a Client Secret to the App Registration - Create a Data Collection endpoint - Create Custom Log Analytics - Includes creating a JSON file; see step 10 in [Azure Log Analytics](#azure-log-analytics) - Create a Data Collection rule - Configure integration in the HiddenLayer Console ## Azure Configuration Steps ### Register an Application in Azure Entra ID 1. In the Azure portal, go to **Microsoft Entra ID > App registration**. 2. Click **New registration**. 3. Enter a name for the app registration. 4. Click **Register**. 5. Save the ClientID and Azure Tenant ID for later. ### Add Client Secret to App Registration 1. In the app registration you just created, expand **Manage** in the navigation. 2. Select **Certificate and secrets**. 3. Click **New client secret**. 4. Optionally, enter a name for the client secret. 5. Click **Add**. 6. Save the secret value for later. This value will not be available once you leave this page. If you leave the page without copying the secret value, you must create a new secret. ### Create Data Collection Endpoint 1. In the Azure portal, go to **Monitor**. 2. Expand **Settings** in the navigation. 3. Select **Data Collection Endpoints**. 4. Click **Create**. 5. Enter a name for the endpoint. 6. Select a Resource Group. 7. Click **Review + create**. 8. Click **Create**. It might take a moment for Azure to create the endpoint. 9. Select the endpoint you just created. 10. Click **JSON View**. The link is in the upper-right of the window. 11. Save the `logsIngestion` endpoint URL for later. ### Azure Log Analytics 1. In the Azure portal, go to **Log Analytics workspace**. 2. Select an Azure Log Analytics workspace. 3. Expand **Settings** in the navigation. 4. Select **Tables**. 5. Select **Create**, then select **New custom log (DCR-based)**. 6. Enter a name for the custom log. It is recommended to use the table name HiddenLayerAIDRStage_CL. This name is used in this guide. 7. For **Data collection endpoint**, select the previously created data collection endpoint. 8. Create a data collection rule as part of this process or select an existing one if desired. 9. Click **Next**. 10. When asked for the schema, use the following sample log template to configure the HiddenLayerAIDRStage_CL table. - Create a JSON file, paste the following example into the file, then upload the file. ``` { "TimeGenerated": "2024-10-21T00:01:03.123456Z", "conviction_id": "9f891a16-34e6-4e9a-aa5c-22369712e64a", "tenant_id": "80ad8fa2-c1f9-430a-a7b9-ad85a9386d45", "sensor_id": "8d009b0d-75dc-4287-b0d7-b653c51a5ae1", "requester_id": "a_requester_id", "source": "aidr", "detection_category": "A detection category", "attributable_event_id": "8a27bd3e-b7a1-421f-ba43-25f18e595050", "concluding_event_id": "2a4c645e-f08e-41a9-882d-8d22cb4b8e41", "conviction_timestamp": "2024-10-21T00:01:02.123456Z", "mitre": "{ \"Tactic\": { \"UID\": \"AML.TA0001\", \"Name\": \"ML Attack Staging\", \"SrcUrl\": \"https://atlas.mitre.org/tactics/AML.TA001\" }, \"Technique\": { \"UID\": \"AML.T0006\", \"Name\": \"Active Scanning\", \"SrcUrl\": \"https://atlas.mitre.org/tactics/AML.T0006\" } }", "severity": "high", "engine_name": "fuzzy_correlation" } ``` 11. Click **Next**. 12. Click **Create**. ### Data Collection Rule 1. In the Azure portal, go to **Data collection rules**. 2. Select the data collection rule. 3. Click **JSON View**. - Save the `immutableId` and `dataCollectionEndpointID` for later. 4. Navigate to the Access Control (IAM) for this data collection rule. - Select **Add > Add role assignment**. - For Role, give the newly created Entra ID application the Monitor Metrics Publisher role for this data collection rule. - For Members, select **User, group, or service principal**. - Click **Select members**, select the user, group, or service principal to assign access to, then click **Select**. - Click **Review + Assign** to create the role assignment. ## Configure Integration in HiddenLayer Console 1. In the HiddenLayer Console, go to the **Admin** page. 2. Go to the **Integrations** page. 3. For Azure Sentinel, click the menu (three vertical dots), then select **Configure Integration**. 4. Fill out the fields with the data collected in the Azure Configuration Steps. 5. Click **Submit**. 6. Your AIDR convictions will now be sent to Azure.