Ingest Microsoft Sentinel security events

  • Latest Dynatrace
  • How-to guide

This page has been updated to align with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.

Dynatrace integration with Microsoft Sentinel, a cloud-native security information and event management (SIEM), allows users to unify and contextualize security findings across DevSecOps tools and products, enabling central prioritization, visualization, and automation of security findings.

The integration ingests security alerts originated from various connectors, including Microsoft products, such as Microsoft Defender for Cloud, as well as external product connectors.

Hub

Explore in Dynatrace Hub

Ingest Microsoft Sentinel security findings.

How it works

how it works - MSFT Sentinel

  1. Microsoft Sentinel exports security findings to Azure Event Hubs.

  2. An Azure Function app pre-processes the events and sends them to Dynatrace, taking advantage of the OpenPipeline dedicated security events ingest endpoint.

  1. The fetched data is mapped to the Dynatrace Semantic Dictionary.

  2. Data is stored in Grail in a unified format, in a default bucket called default_securityevents. For details, see Built-in Grail buckets.

Prerequisites

See below for the Microsoft Sentinel and Dynatrace requirements.

Microsoft Sentinel

Dynatrace requirements

  • Permissions:

    • To query ingested data: storage:security.events:read.

  • Tokens:

Get started

  1. In Dynatrace, open Dynatrace Hub.

  2. Look for Microsoft Sentinel and select Install.

  3. Select Set up, then select Configure new connection.

  4. Follow the on-screen instructions to set up the ingestion.

  5. Verify configuration by running the following query in Notebooks:

    fetch security.events
    | filter dt.system.bucket == "default_securityevents"
    | filter event.provider=="Microsoft Sentinel"

Monitor data

Once you ingest your Microsoft Sentinel data into Grail, you can monitor your data in the app (in Dynatrace, go to Settings > Microsoft Sentinel).

overview-connection

You can view

  • A chart of ingested data from all existing connections over time

  • A table with information about your connections

Visualize and analyze findings

You can create your own dashboards or use our templates to visualize and analyze container vulnerability findings.

  1. In Dynatrace, go to Settings > Microsoft Sentinel.
  2. In the Try our templates section, select the desired dashboard template.

Automate and orchestrate findings

You can create your own workflows or use our templates to automate and orchestrate container vulnerability findings.

  1. In Dynatrace, go to Settings > Microsoft Sentinel.
  2. In the Try our templates section, select the desired workflow template.

Query ingested data

You can query ingested data in Notebooks Notebooks or Security Investigator Security Investigator, using the data format in Semantic Dictionary.

  1. In Dynatrace, go to Settings > Microsoft Sentinel.
  2. Select Open with .
  3. Select Notebooks or Security Investigator.

Evaluate, triage, and investigate detection findings

You can evaluate, triage, and investigate detection findings with the Threats & Exploits app.

  1. In Dynatrace, open Threats & Exploits.
  2. Filter for Provider > Microsoft Sentinel.

Delete connections

To stop sending events to Dynatrace

  1. In Dynatrace, go to Settings > Microsoft Sentinel.
  2. For the connection you want to delete, select Delete.
  3. Follow the on-screen instructions to delete the resources. If you used values different from those specified in the setup dialog, adjust them accordingly.

This removes the Dynatrace resources created for this integration.

Frequently asked questions (FAQ)

Which data model is used for the security logs and events coming from Microsoft Sentinel?

Detection finding events store the individual detection findings per affected object represented by an affected Azure resource.

Which extension fields are added on top of the core fields of the events ingested from Microsoft Sentinel?

  • The actor namespace is added to store all the actor-related fields if present in an alert:

    • actor.ips represents the list of IPs of the suspicious actor

    • actor.fqdns represents the list of FQDNs of the suspicious actor

    • actor.geo.country.name represents the country name of the suspicious actor

    • actor.geo.city.name represents the city name of the suspicious actor

  • The azure namespace is added to store Azure-related fields in an alert:

    • azure.tenant.id represents the ID of the Azure tenant

    • azure.subscription represents the ID of the Azure subscription

    • azure.resource.id represents the ID of the affect Azure resource

    • azure.resource.group represents the name of the Azure resource group

    • azure.resource.type represents the name of the Azure resource type

    • azure.resource.name represents the name of the Azure resource

How do we normalize the risk score for Microsoft Sentinel findings?

  • dt.security.risk.level is mapped directly from the severity level (AlertSeverity) set by Microsoft Sentinel.

  • dt.security.risk.score is mapped directly from the severity level (AlertSeverity) set by Microsoft Sentinel.

dt.security.risk.level (mapped from AlertSeverity)dt.security.risk.score (mapped from AlertSeverity)
High -> HIGHHigh -> 8.9
Medium -> MEDIUMMedium -> 6.9
Low -> LOWLow -> 3.9
Informational -> NONE0.0
Related tags
Threat Observability