Microsoft Sentinel: Overview

This section guides you through integrating VirtualMetric Director with Microsoft Sentinel using the command line.

You can watch our video demonstrating the process below:

Prerequisites

To install Director, you need

• an Azure subscription with permissions to create resources
• a Log Analytics workspace (required by Microsoft Sentinel)
• a PowerShell or Bash terminal with Administrative access

Open the terminal and navigate to <vm_root>. Then, type the following command and press Enter.

PowerShell

C:\<vm_root>\vmetric-director -sentinel

Bash

~/path/to/<vm_root>: ./vmetric-director -sentinel

Authentication Methods

You will be presented with two authentication options:

Welcome to the Microsoft Sentinel Integration!

Choose Authentication Method:

> Browser Authentication
  Device Code Authentication

Use up/down arrows to navigate and press enter to select.
Press 'q' to quit.

• Browser Authentication

  Recommended for desktop GUI environments since it is user-friendly and secure.

  With this option, a browser window will automatically open. Sign in with your Azure credentials, and grant the necessary permissions when prompted.

• Device Code Authentication

  Ideal for systems without a desktop environment—e.g. server installations, CLI-only environments, etc. It is also useful when browser access is restricted on the local machine.

  With this option, a code will be displayed in your terminal. Visit microsoft.com/devicelogin in any browser and enter the provided code. Sign in with your Azure credentials, and grant the necessary permissions when prompted.

After selecting your preferred method using the arrow keys and pressing Enter, the system will then guide you through the process.

Post-Authentication

After a successful authentication, you'll see this confirmation screen:

Authentication Successful!

You have successfully authenticated!

Press any key to proceed.

You have successfully authenticated! You can continue with the setup by pressing any key.

Log Analytics Workspace and Sentinel Setup

After the authentication step is completed, you will need to set up the Log Analytics workspace, which is required for Microsoft Sentinel. Here, we will focus on creating a new workspace as it's the most comprehensive one, but here's what you need to know about either option:

Creating a New Workspace

Recommended for fresh installations. It gives you full control over workspace configuration, ensures all required features are properly enabled, and automatically sets up necessary permissions.

Select the option and press Enter to start creating a new Log Analytics Worspace.

Integration Method

How do you want to set up the integration?

> Create a new Log Analytics Workspace
  Use an existing Log Analytics Workspace

Use up/down arrows to navigate and press enter to select.
Press 'b' to return, press 'q' to quit.

Provide your Azure Subscription name and press Enter.

Select Subscription

Choose the subscription you want to use:

> <your_subscription>

Use up/down arrows to navigate and press enter to select.
Press 'b' to return, press 'q' to quit.

Select the region you desire and press Enter.

Select Region

Choose the region you want to use:

> North Europe
  South Central US
  South India
  Southeast Asia
  UK South
  UK West
  West Europe
  West India
  West US
  West US 2

Use up/down arrows to navigate and press enter to select.
Press 'b' to return, press 'q' to quit.

You will now create a resource group. Select the first option and press Enter.

Resource Group Option

Choose how to manage the resource group:

> Create a new Resource Group
  Use an existing Resource Group

Use up/down arrows to navigate and press enter to select.
Press 'b' to return, press 'q' to quit.

Provide your <resource_group_name> and press Enter.

Resource Group Name

Enter the resource group name (default: vmetric):

<your_resource_group_name>

Press enter to confirm.

You will now create the Log Analytics Workspace. Provide your <instance_name> and press Enter.

Instance Name

Enter the instance name (default: vmetric-loganalytics):

<your_instance_name>

Press enter to confirm.

Director will now create the Log Analytics workspace, enable Microsoft Sentinel, and configure the Data Collection Endpoint and the necessary Data Collection Rules.

This step may take some time, as you will be prompted on the screen.

Creating Workspace

Please wait while we create your workspace...

This may take a few minutes.

Press 'b' to return, press 'q' to quit.

Using an Existing Workspace

Select this option if you have already installed Director and authenticated it. Skip the workspace creation steps, and verify that

• Microsoft Sentinel is enabled
• the workspace is in a supported region
• you have the required access permissions

Integration Methods

After the workspace is set up, you will need to choose an integration method:

Setup Complete

Log Analytics Workspace 'your_instance_name' is ready for use.

Press 'r' to set up an App Registration.

Press 'm' to continue with Managed Identity. (Please refer to the documentation)

Press 'b' to return, press 'q' to quit.

App Registration

When you press R, you will proceed to App Registration. This will involve authentication via the browser which will launch automatically.

Choose this method when

• you are running Director on non-Azure environments—e.g. on-premises servers, other cloud providers, etc.
• you need a more fine-grained control over permissions to manage credentials manually—e.g. when you require credential rotation policies
• you want to share access across multiple systems

This method has more flexible deployment options as the credentials are portable, and it can be used anywhere with internet access, and it is easier to manage in multi-tenant scenarios.

Integration Complete

VirtualMetric Target Configuration.

targets:
  - name: sentinel
    type: sentinel
    properties:
      tenant_id: "<your-tenant-id>"
      client_id: "<your-client-id>"
      client_secret: "<your-client-secret>"
      endpoint: "https://<your-endpoint>"
      streams:
        - name: "<table-name>"
          rule_id: "<rule-identifier>"
        - name: "<table-name>"
          rule_id: "<rule-identifier>"

Press 's' to save the configuration to the current path, press 'q' to quit.

Managed Identity

To proceed with Managed Identity authentication, press M on your keyboard.

Choose this method when you are running Director on Azure VMs, you have Azure Arc-enabled servers, or you want to avoid managing credentials manually and need enhanced security with automatic credential management.

This method does not require any credential management; credentials are automatically rotated. It has tighter integration with Azure security due to which security is enhanced as no secrets are stored in configuration files. It is also simpler to set up and maintain.

After the integration process is completed, you will see the following screen:

Integration Complete

VirtualMetric Target Configuration.

targets:
  - name: sentinel
    type: sentinel
    properties:
      endpoint: "https://<your-endpoint>"
      streams:
        - name: "<table-name>"
          rule_id: "<rule-identifier>"
        - name: "<table-name>"
          rule_id: "<rule-identifier>"

Press 's' to save the configuration to the current path, press 'q' to quit.

warning

The automation program does not automatically configure permissions for Managed Identity. You will need to manually assign the required permissions in Azure Portal.

To assign the necessary permissions, follow these steps for each Data Collection Rule (DCR) that starts with "vmetric":

1. Navigate to the DCR in the Azure Portal
2. Select Access Control (IAM)
3. Click Add > Add role assignment
4. Assign the Monitoring Metrics Publisher role to your Managed Identity

For Azure VMs, the Managed Identity is automatically created with the VM. Use the VM's system-assigned identity name in role assignments.

For Azure Arc-enabled servers, ensure Azure Arc is properly configured on your server. Then, use the Arc-enabled server's system-assigned identity name in role assignments.

tip

If you encounter permission-related errors, verify that all required roles are properly assigned to your Managed Identity.

Configuration

From the configuration screen, copy the sentinel information by pressing S and paste it into a text editor like Notepad.

Create the following directory if it doesn't exist:

PowerShell

C:\path\to\<vm_root>\director\config\targets

Bash

~/path/to/<vm_root>: ./director/config/targets

After this, you have two options:

• create a new file named sentinel.yml, and paste the properties block you have copied from the screen
• move your saved sentinel.yml file containing the copied properties block to this directory

Validation

Once the editing of properties is completed, validate the automation with the following steps:

1. Open your browser and navigate to Azure Portal: Data Collection Rules (DCR)
2. Look for DCRs with the "vmetric" prefix
3. In each DCR's details page, check the Data Sources section to verify that the tables were created correctly