Skip to main content

Microsoft Sentinel - User Guide

In this article, you will understand step by step how to easily integrate with Microsoft Sentinel

Microsoft Sentinel is a cloud-native SIEM and SOAR platform that collects, analyzes, and responds to security data across an organization using AI and automation.

Required Permissions

  • The Log Analytics Reader role is required to enable full API access to the Log Analytics Workspace.

Scytale follows the least-privilege principle, limiting permission scopes strictly to what's required for audit evidence collection.

How to Connect

  1. In Scytale, go to 'Integrations'.

  2. Search for Microsoft Sentinel and select 'Connect'.

  3. Paste your tenant ID, client ID, client secret & workspace ID.

  4. Add a connection name — this will be used to differentiate between your connections — and then select 'Connect'.

You have now successfully connected to Microsoft Sentinel.

How to Generate Credentials in Microsoft Sentinel

Step 1 — Register an app in Azure

(reuse existing from Defender if already done)

  1. Go to portal.azure.com.

  2. Search for Microsoft Entra IDApp registrations.

  3. Click New registration, give it a name (e.g. scytale-integration), and click Register.

  4. Copy the Application (client) ID and Directory (tenant) ID.

Step 2 — Create a client secret

(reuse existing from Defender if already done)

  1. In your app, go to Certificates & secrets → New client secret.

  2. Set an expiry and click Add.

  3. Copy the secret value immediately — you won't be able to see it again.

Step 3 — Grant API Permission for Log Analytics

  1. In your app, go to API Permissions → Add a permission.

  2. Select APIs my organization uses → search for "Log Analytics".

  3. Add the Data.Read permission.

  4. Click Grant admin consent.

Step 4 — Create a Log Analytics Workspace

  1. Go to Log Analytics Workspaces+ Create.

  2. Fill in: Subscription, Resource Group, Name, Region.

  3. Click Review + CreateCreate.

Step 5 — Attach Microsoft Sentinel to the Workspace

  1. Search for Microsoft Sentinel+ Create.

  2. Select the workspace you just created.

  3. Click Add.

Step 6 — Connect Data Connectors

  1. In Microsoft SentinelData Connectors.

  2. Enable relevant connectors (e.g. Microsoft Defender for Cloud, Azure Activity).

Step 7 — Assign the Log Analytics Reader role on the Workspace

  1. Go to Log Analytics Workspaces → select your workspace.

  2. Click Access Control (IAM) → Add role assignment.

  3. Select role: Log Analytics Reader (*).

  4. Assign it to your registered app.

Step 8 — Find your Workspace ID

  1. Go to Log Analytics Workspaces → your workspace → Overview.

  2. Copy the Workspace ID.

Step 9 — Enter your credentials in Scytale

Provide the following values:

  • Tenant ID — from Step 1

  • Client ID — from Step 1

  • Client Secret — from Step 2

  • Workspace ID — from Step 8

Related Articles
Microsoft Intune - User Guide
Microsoft Defender for Endpoint - User Guide
Microsoft SharePoint - User Guide
Microsoft Teams - User Guide
Microsoft Defender for Cloud - Threat Detection - User Guide
Did this answer your question?