This article walks you through the three steps required to send threats to Microsoft Sentinel.

Estimated procedure time: 15 minutes

Microsoft Sentinel is Microsoft’s security information and event manager (SIEM) platform. You can configure an Automate playbook that sends your Red Canary threats to Microsoft Sentinel for analysis by completing the following steps:

• Create an Automate playbook.
• Connect your playbook to an Automate trigger.
• Add an analysis rule to your Microsoft Sentinel workspace.

Create an Automate playbook

To create a playbook that sends threats to Microsoft Sentinel:

1. Go to go.my.redcanary.co/automate.
2. Click Playbooks.
3. Create a new playbook by clicking New Playbook. You can also select an existing playbook.
4. Click Add Action > Send Detection to Sentinel.
5. Enter your Microsoft Sentinel workspace ID and key. You can enter either your primary or secondary key. For instructions on obtaining these credentials, see Find your workspace ID and key.
6. Click Save.

Add your playbook to a trigger

To add your playbook to an Automate trigger:

1. Go to go.my.redcanary.co/automate.
2. Click Triggers.
3. Create a new trigger by clicking New Trigger and selecting the “When a Detection is published” trigger condition. You can also select an existing “When a Detection is published” trigger.
4. Click Add a Playbook, and select the playbook you created earlier.

Add analysis rule to Microsoft Sentinel

To configure Microsoft Sentinel to analyze Red Canary detections:

1. Go to your Microsoft Sentinel dashboard, and select a workspace.
2. Click Analytics under the “Configuration” section of your workspace.
3. Click Import from the menu at the top of the page.
4. Upload the analytics rule template file. Click here to download the template file.

How do I know it's working?

After you create a playbook and trigger, and add an analysis rule to Microsoft Sentinel, any threats that activate your “When a Detection is published” trigger will create a corresponding Microsoft Sentinel incident.