Skip to main content
Red Canary help

Add a Microsoft Sentinel automate action

  • Updated .

This article walks you through the three steps required to send threats to Microsoft Sentinel.

Microsoft Sentinel is Microsoft’s security information and event manager (SIEM) platform. You can configure an Automate playbook that sends your Red Canary threats to Microsoft Sentinel for analysis by completing the following steps:

  • Create an Automate playbook.
  • Connect your playbook to an Automate trigger.
  • Add an analysis rule to your Microsoft Sentinel workspace.

Create a playbook that sends threats to Microsoft Sentinel

  1. Go to go.my.redcanary.co/automate.
  2. Click Playbooks.
  3. Create a new playbook by clicking Create New Playbook. You can also select an existing playbook.
  4. Click Add Action, and then click Send Threat to Sentinel.
  5. Enter your Microsoft Sentinel workspace ID and key. You can enter either your primary or secondary key. For instructions on obtaining these credentials, see Find your workspace ID and key.
  6. Click Save.

Add your playbook to a trigger

  1. Go to go.my.redcanary.co/automate.
  2. Click Triggers.
  3. Create a new trigger by clicking Configure new trigger and select “When a Threat is published” trigger condition. You can also select an existing “When a Threat is published” trigger.
  4. Click Add a Playbook, and select the playbook you created earlier.

Add analysis rule to Microsoft Sentinel

To configure Microsoft Sentinel to analyze Red Canary threats:

  1. Go to your Microsoft Sentinel dashboard, and select a workspace.
  2. Click Analytics under the “Configuration” section of your workspace.
  3. Click Import from the menu at the top of the page.
  4. Upload the analytics rule template file. Click here to download the template file.

How do I know it's working?

After you create a playbook and trigger, and add an analysis rule to Microsoft Sentinel, any threats that activate your “When a Threat is published” trigger will create a corresponding Microsoft Sentinel incident.

 

Helpful Notes

Red Canary will publish with the following GUID, useful when filtering or restricting responses to only Red Canary published threats.

6d263abb-6445-45cc-93e9-c593d3d77b89

 

Comments

0 comments

Please sign in to leave a comment.