/
MS Sentinel Integration Steps

MS Sentinel Integration Steps

Introduction

The purpose of this document is to provide instructions on implementing an integration between MS Sentinel and Remedio.

Overview

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution built on Azure. It provides intelligent security analytics and threat detection across the entire enterprise. Sentinel collects data at cloud scale from users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

MS Sentinel Integration Prerequisites

To enable data ingestion from Remedio into Microsoft Sentinel, you will need the Workspace ID and Primary Key from your Azure Log Analytics workspace. These credentials are required to authenticate and send data using the HTTP Data Collector API. You can find them in the Azure Portal by navigating to your Log Analytics workspace, then selecting Agents Management. Ensure these values are securely stored, as they provide access to your logging environment.

MS Sentinel Side

  1. Log in to the Azure Portal
    Go to https://portal.azure.com and sign in with your Azure credentials.

  2. Open Your Log Analytics Workspace
    In the left-hand menu or search bar, type "Log Analytics workspaces" and select the appropriate workspace used by Microsoft Sentinel.

  3. Go to Agents Management
    Inside the workspace, in the left-hand pane, scroll down and click on Agents Management.

  4. Copy the Credentials

    • Workspace ID: Found at the top of the Agents Management page.

    • Primary Key: Listed under Primary Key. You may also see a Secondary Key — either can be used, but the primary is standard.

image-20250626-082843.png

Remedio Side

  1. Log in to the Remedio console with administrator access privileges.

  2. Go to Settings > Integration > MS Sentinel and fill the required fields:

    1. Workspace ID

    2. Shared Key = Primary key

image-20250626-083921.png

  1. Click the "Test" button to confirm the accuracy of your settings and ensure the successful establishment of the integration. Click “Connect” to save the connection configuration.

If you see any error message, please review your settings, and make any necessary adjustments until the test passes successfully.

Viewing Remedio Tables in MS Sentinel

  1. Go to https://portal.azure.com and open Microsoft Sentinel.

  2. Select your workspace, then go to Settings > Workspace Settings (opens the Log Analytics workspace).

  3. In the left pane, click Tables.

  4. Browse or search for your table (e.g., GytpolAlerts_CL) to view its schema and ingestion method.

image-20250626-085410.png
Remedio Custom Tables in Microsoft Sentinel

View Remedio Data in Sentinel Logs

  1. In the https://portal.azure.com, go to Microsoft Sentinel.

  2. Select your workspace and click Logs.

  3. In the Tables pane, search for GytpolAlerts_CL or any of the above tables.

  4. Run a query like: GytpolAlerts_CL | take 1000

image-20250626-150609.png
CIS Benchmark Results
image-20250626-090009.png
CIS Benchmark Descriptions
image-20250626-090036.png
Misconfigurations
image-20250626-090101.png
Misconfiguration Descriptions

You have completed the process. The MS Sentinel Connector is now configured.