Microsoft Sentinel Automation

This section guides you through integrating VirtualMetric Director with Microsoft Sentinel from the command line.

Prerequisites

An Azure subscription with permissions to create resources
Microsoft Sentinel requires a Log Analytics workspace - we'll create one during this setup
Administrative access to run PowerShell or Bash commands

Open a PowerShell or Terminal with Admin rights, and navigate to <vm_root>. Then, type the following command and press Enter.

PowerShell
Bash

C:\<vm_root>\vmetric-director -sentinel

~/path/to/<vm_root>: ./vmetric-director -sentinel

Authentication Methods

You will be presented with two authentication options:

Browser Authentication
- Recommended for desktop environments
- Opens a browser window automatically for Azure sign-in
- More user-friendly and secure
- Best for Windows/Linux systems with GUI
Device Code Authentication
- Ideal for systems without a desktop environment (e.g., server installations, CLI-only environments)
- Provides a code to enter at microsoft.com/devicelogin
- Perfect for remote sessions or Linux servers without GUI
- Useful when browser access is restricted on the local machine

Select your preferred authentication method using the arrow keys and press Enter.

Welcome to the Microsoft Sentinel Integration!

Choose Authentication Method:

> Browser Authentication
  Device Code Authentication

Use up/down arrows to navigate and press enter to select.
Press 'q' to quit.

After selecting your authentication method, the system will guide you through the authentication process.

Browser Authentication

A browser window will automatically open
Sign in with your Azure credentials
Grant the necessary permissions when prompted

Device Code Authentication

A code will be displayed in your terminal
Visit microsoft.com/devicelogin in any browser
Enter the provided code
Sign in with your Azure credentials
Grant the necessary permissions when prompted

Post-Authentication

After successful authentication, you'll see this confirmation screen:

Authentication Successful!

You have successfully authenticated!

Press any key to proceed.

You have successfully authenticated! You can continue with the setup by pressing any key.

Log Analytics Workspace and Sentinel Setup

After authentication, you'll set up the Log Analytics workspace, which is required for Microsoft Sentinel.

This documentation will guide you through creating a new Log Analytics workspace. We'll focus on the new workspace setup as it's the most comprehensive path, but here's what you should know about both options:

Creating a New Workspace (This Guide):

Best for fresh installations
Gives you full control over workspace configuration
Ensures all required features are properly enabled
Automatically sets up necessary permissions

Using an Existing Workspace:

Skip the workspace creation steps
Verify these prerequisites in your existing workspace:
- Microsoft Sentinel is enabled
- You have the necessary permissions
- The workspace is in a supported region

note

If you choose to use an existing workspace, you can follow the same steps, but select "Use an existing Log Analytics Workspace" when prompted. The subsequent configuration steps will adapt accordingly.

Select the first option and press Enter to start with new Log Analytics Worspace creation.

Integration Method

How do you want to set up the integration?

> Create a new Log Analytics Workspace
  Use an existing Log Analytics Workspace

Use up/down arrows to navigate and press enter to select.
Press 'b' to return, press 'q' to quit.

Provide your Azure Subscription name and press Enter.

Select Subscription

Choose the subscription you want to use:

> <your_subscription>

Use up/down arrows to navigate and press enter to select.
Press 'b' to return, press 'q' to quit.

Select the region you desire and press Enter.

Select Region

Choose the region you want to use:

> North Europe
  South Central US
  South India
  Southeast Asia
  UK South
  UK West
  West Europe
  West India
  West US
  West US 2

Use up/down arrows to navigate and press enter to select.
Press 'b' to return, press 'q' to quit.

You will now create a resource group. Select the first option and press Enter.

Resource Group Option

Choose how to manage the resource group:

> Create a new Resource Group
  Use an existing Resource Group

Use up/down arrows to navigate and press enter to select.
Press 'b' to return, press 'q' to quit.

Provide your <resource_group_name> and press Enter.

Resource Group Name

Enter the resource group name (default: vmetric):

<your_resource_group_name>

Press enter to confirm.

You will now create a Log Analytics Workspace. Provide your <instance_name> and press Enter.

Instance Name

Enter the instance name (default: vmetric-loganalytics):

<your_instance_name>

Press enter to confirm.

VirtualMetric Director will now create your workspace. During this process, it will:

Create the Log Analytics workspace
Enable Microsoft Sentinel
Configure the Data Collection Endpoint
Configure necessary Data Collection Rules

Creating Workspace

Please wait while we create your workspace...

This may take a few minutes.

Press 'b' to return, press 'q' to quit.

This step may take a few minutes to complete.

Integration Methods

After workspace setup, you'll choose between two integration methods:

Setup Complete

Log Analytics Workspace 'your_instance_name' is ready for use.

Press 'r' to set up an App Registration.

Press 'm' to continue with Managed Identity. (Please refer to the documentation)

Press 'b' to return, press 'q' to quit.

App Registration

When you press R, you will proceed to App Registration. This will involve authentication via the browser which will launch automatically.

Choose this when:

Running Director on non-Azure environments (on-premises servers, other cloud providers)
Need fine-grained control over permissions
Want to manage credentials manually
Require credential rotation policies
Need to share access across multiple systems

Benefits:

More flexible deployment options
Portable credentials
Can be used anywhere with internet access
Easier to manage in multi-tenant scenarios

Integration Complete

VirtualMetric Target Configuration.

targets:
  - name: sentinel
    type: sentinel
    properties:
      tenant_id: "<your-tenant-id>"
      client_id: "<your-client-id>"
      client_secret: "<your-client-secret>"
      endpoint: "https://<your-endpoint>"
      streams:
        - name: "<table-name>"
          rule_id: "<rule-identifier>"
        - name: "<table-name>"
          rule_id: "<rule-identifier>"

Press 's' to save the configuration to the current path, press 'q' to quit.

Managed Identity

Press M to proceed with Managed Identity authentication:

Choose this when:

Running Director on Azure VMs
Using Azure Arc-enabled servers
Want to avoid managing credentials manually
Need enhanced security with automatic credential management

Benefits:

No credential management required
Automatic rotation of credentials
Tighter integration with Azure security
Simpler setup and maintenance
Enhanced security as no secrets are stored in configuration files

After the integration process completes, you will see the following output:

Integration Complete

VirtualMetric Target Configuration.

targets:
  - name: sentinel
    type: sentinel
    properties:
      endpoint: "https://<your-endpoint>"
      streams:
        - name: "<table-name>"
          rule_id: "<rule-identifier>"
        - name: "<table-name>"
          rule_id: "<rule-identifier>"

Press 's' to save the configuration to the current path, press 'q' to quit.

warning

The automation program does not automatically configure permissions for the Managed Identity. You need to manually assign the required permissions in the Azure Portal.

To assign the necessary permissions, follow these steps for each Data Collection Rule (DCR) that starts with "vmetric":

Navigate to the DCR in the Azure Portal
Select Access Control (IAM)
Click Add > Add role assignment
Assign the Monitoring Metrics Publisher role to your Managed Identity

For Azure VMs:

The Managed Identity is automatically created with the VM
Use the VM's system-assigned identity name in the role assignments

For Azure Arc-enabled servers:

Ensure Azure Arc is properly configured on your server
Use the Arc-enabled server's system-assigned identity name in the role assignments

note

If you encounter permission-related errors when running Director, verify that all required roles are properly assigned to your Managed Identity.

Configuration

From the configuration screen, copy the sentinel information by pressing S and paste it into a text editor like Notepad.

Create the following directory structure if it doesn't exist:

C:\<vm_root>\director\config\targets\

Then, either:

Create a new file named sentinel.yml in this directory and paste the properties block you copied from the screen, or
Move your saved sentinel.yml file containing the copied properties block to this directory.

Validation

Once completed, validate the automation by following these steps:

Open your browser and navigate to the Azure Portal: Data Collection Rules (DCR)
Look for DCRs with the "vmetric" prefix
In each DCR's details page, check the Data Sources section to verify that the tables were created correctly

Prerequisites​

Authentication Methods​

Browser Authentication​

Device Code Authentication​

Post-Authentication​

Log Analytics Workspace and Sentinel Setup​

Integration Methods​

App Registration​

Managed Identity​

Configuration​

Validation​