Microsoft Sentinel Integration

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution. Sentinel collects telemetry, security detections, and threat context from multiple products into one cloud location, and performs detection and analytics on that combined content from across the enterprise. In Cisco XDR, we enable Microsoft Sentinel users to include Cisco XDR incidents in that body of data, and to use Microsoft Sentinel in custom Automation routines in Cisco XDR.

When you add the Microsoft Sentinel integration into Cisco XDR, it enables Sentinel usage in Cisco XDR Automation for out-of-box and custom workflows, including the ability to export Cisco XDR incidents into Sentinel for seamless visibility spanning both products.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Microsoft Cloud integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Microsoft Cloud integration page is displayed.

  4. Expand the Integration Guide > Configuring Microsoft Sentinel Application area and follow the instructions on how to add the Microsoft Sentinel integration in Cisco XDR.

You can perform the following tasks after you integrate Microsoft Sentinel with Cisco XDR:

  • Automation:

    • Atomic Actions - The atomic actions for Microsoft Sentinel can be used as building blocks in custom workflows. These can be found as available Actions in the left menu of the Workflow Editor. See Atomic Actions and Workflows.

    • Target - The Microsoft Sentinel target is automatically created for out-of-box and custom workflows. See Targets Created From Integrations.