Sentinel is a cloud-native SIEM and SOAR solution that provides a unified platform for security operations. It integrates with Qevlar to provide a unified view of security alerts and incidents.
Prerequisites
Before you begin, ensure you have the following:
| Requirement | Description |
|---|---|
| Azure Permissions | You need sufficient privileges in Azure to register an app and assign roles. Typically, a Global Administrator or Privileged Role Administrator in Azure AD is required to grant the necessary Graph API permissions. You'll also need to be an Owner or Contributor on the Azure subscription or Log Analytics workspace to assign role access to the workspace. (Having the workspace Owner role is usually sufficient.) |
| Azure Monitor Workspace | An existing Log Analytics Workspace in Azure Monitor where your logs reside. This is the workspace Qevlar will pull logs from (e.g., your Azure AD logs, Sentinel workspace, or other Azure Monitor Logs workspace). |
| Qevlar Access | Access to your Qevlar platform account with permissions to add new integrations. (Verify that the Azure Monitor Logs integration option is available in your Qevlar interface.) |
Minimum permissions to grant
| Scopes | Permissions | Context |
|---|---|---|
| Data.Read.All | READ |
Azure Monitor Logs API |
Register an Application in Azure AD
To allow Qevlar to access Azure Monitor Logs, you'll create a dedicated Azure AD application (service principal). This app represents Qevlar when it connects to Azure.
Navigating to App registrations in the Azure AD (Microsoft Entra ID) portal.
-
Open Azure AD in Portal
Sign in to the Azure Portal with an appropriate admin account. Navigate to Azure Active Directory (often labeled Microsoft Entra ID in the portal). In the left sidebar, click App registrations. -
New Registration
Click the New registration button at the top. In the Register an application form, enter a Name for the app (for example, "Qevlar Azure Monitor Integration"). You can leave the supported account type as "Accounts in this organizational directory only" (default). No redirect URI is needed for this server-to-server integration. Click Register to create the app.
-
Record the Application ID
After registering, you will be taken to the app's Overview page. Here, note down the Application (client) ID (a GUID) you'll need this later. Also note the Directory (tenant) ID, which is your Azure AD tenant's ID (this is visible on the same page). We will gather all needed IDs in a later step, but it's good to identify them now.
-
Certificates & Secrets
In the app's left-hand menu, click Certificates & secrets. We will create a client secret for the app in the next step. (You can also optionally upload a certificate if your organization prefers certificate credentials, but this guide uses a client secret.)
Create a Client Secret
The client secret is essentially the app's password that Qevlar will use to authenticate to Azure. We'll create a new client secret for the app registration.
Creating a new Client Secret for the app in the Azure portal.
-
Add a Secret
On the app's Certificates & secrets page, ensure you are under the Client secrets tab. Click + New client secret.
-
Describe and Expire
In the Add a client secret pane (as shown above), give the secret a description, such as "QevlarIntegrationSecret," to identify it. Choose an appropriate Expiration period (e.g., 6 months, 12 months, or 24 months) according to your security policies. Add the secret to generate its value. -
Copy the Secret Value
Once you click Add, the new secret will appear in the list with a Value and Secret ID. Copy the secret's Value immediately and store it in a secure place (for example, a password manager). This value is the only time it will be displayed; if you navigate away, you cannot retrieve it again. (The Secret ID is not the secret itself; use the Value. The Secret ID is just an identifier.)
-
Secure Storage
Treat this secret value like a password. Do not share it, and ensure it's kept out of source code or unsecured notes. If you ever lose the secret or suspect it's compromised, you can return to this Azure AD app and create a new client secret (then update Qevlar with the new value).
Integration in Qevlar
- Navigate to your Qevlar platform
- Select Integrations from the menu
- Locate Azure Monitor Logs and click +.
- In the dialog paste the Workspace ID, Tenant ID, Client ID, and Client Secret you copied earlier.
- Click on Test to verify the connection and click on Test & Save to save the integration.
- The datasets will be automatically detected and selected.