Skip to main content

Setting up Microsoft Sentinel

  • Updated

Summary

In order for the Check Point MDR team to monitor your logs from your Microsoft Sentinel environment, we will require permissions set up within Microsoft Sentinel.

 

If you need any assistance with this procedure, please open a ticket in the MDR Portal under "MDR Support" or if you are currently onboarding reply to your welcome email, and we will schedule a time to assist.

 

Note: Check Point MDR will monitor Check Point MDR supported products through Sentinel - on request Check Point MDR can evaluate additional feeds in your Microsoft Sentinel Environment and if actionable we can add them to our supported monitoring after a review. MS Sentinel will be in a tuning period of five business days.

 

Note: We will need these six items filled in on the Microsoft Sentinel integration located in the MDR Profile page:

  • Client ID
  • Secret Value
  • Resource Group Name
  • Subscription ID
  • Tenant ID
  • Workspace Name
  • Recommended "Use auditLogs Enrichment" (Optional) Y/N

Note: If you choose yes you will want to add AuditLog.Read.All to the graph API permissions within the configured APP.  This feature does enable our SOC to investigate further with Identity alerts by validating past authentication behavior.

 

MDR System tagging of MS Sentinel cases:

Please note MS Sentinel incidents will be tagged by default, if you do not wish this to be done please reach out to MDR Support in a separate ticket.

When an MDR ticket is closed and there is a relevant MS Sentinel case, we will tag the MS Sentinel case with the following:

Possible MS Sentinel Tags
CP_MDR_CLOSED_ANALYST-TruePositive-SuspiciousActivity
CP_MDR_CLOSED_ANALYST-BenignPositive-SuspiciousButExpected
CP_MDR_CLOSED_ANALYST-FalsePositive-IncorrectAlertLogic
CP_MDR_CLOSED_ANALYST-FalsePositive-InaccurateData
CP_MDR_CLOSED_ANALYST-Undetermined

 

When a Sentinel Case is filtered by the MDR system using pattern matching  and does not create a case.

We will tag the Sentinel case CP_MDR_CLOSED_AUTOMATION
We add the filter rule description to the Alert.

 

MDR Case updates to Sentinel:

Case comments and closure comments from the MDR case will be updated to the Sentinel Incident ID.

 

Procedure

 

  • Authenticate to the Sentinel Management
  • Grant the following permissions to the application created in the IAM setting of the Resource Group where Microsoft Sentinel has been built:
    • Sentinel Contributor
    • Microsoft Sentinel Responder
    • Microsoft Sentinel Reader

 

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles