Introduction

This guide provides instructions on how to integrate Beyond Identity events data with Microsoft Sentinel. Microsoft Sentinel Integration is done by posting event logs to Entra Log Analytics. The Log Analytics workspace is attached to Microsoft Sentinel.

Contents

• Prerequisites
• Microsoft Sentinel Integration
  • Configure the Entra Log Analytics workspace
  • Add Microsoft Sentinel to the Log Analytics workspace
  • Beyond Identity Configuration
  • Verification in Microsoft Sentinel

Prerequisites

Ensure that you have the following:

• You have a Beyond Identity tenant configured for your organization and are able to enroll users.
• You have a Microsoft Entra account with the following:
  • Admin privileges to create Log Analytics workspace
  • Microsoft Sentinel license

Microsoft Sentinel Integration

• Configure the Entra Log Analytics workspace
• Post Beyond Identity tenant events to the Log Analytics workspace
• Add Microsoft Sentinel to the Log Analytics workspace

Configure the Entra Log Analytics workspace

1. Log into the Azure portal with an admin account. In the search box, type “lo” and in the search results, click on Log Analytics workspaces.
   
   
   
2. In the Log Analytics workspaces screen, click on Create log analytics workspace.
   
   
   

3. In the Create Log Analytics workspace screen:

   1. Choose an Entra subscription and resource group.

   2. Under Instance details, enter a name, such as “bi-siem-events.”

   3. Choose a region for the log analytics workspace.
      

   4. Click on Review + Create.
      
      

4. Click on Create in the next screen. After the Log Analytics workspace is successfully created, it will be listed in “Log Analytics workspaces.”
   
   
   

5. Note down the Workspace Name and Workspace ID. You will need to provide these in a later section.
   
   
   
6. Click on Agents and expand Log analytics agent instructions.
   
   
   
7. Note down the “Primary key.” You will use this in a later section.

Add Microsoft Sentinel to the Log Analytics workspace

1. In the Entra portal, access Microsoft Sentinel.
2. Click Create.
   
   
   
3. Under Add Microsoft Sentinel to a workspace, type the name you entered for the Workspace name in the search box and select it. In this example, the name is “bi-siem-events.”
   
   
4. Click on Add.
   
   
   

Beyond Identity Configuration

This configuration is done using the Beyond Identity Admin console.

1. Access the Beyond Identity Admin console through your SSO integration.
   
   
2. Click on Integrations and then click the SIEM tab.
   
   
   
3. Click on Add SIEM integration.
   
   
4. Select “Microsoft Sentinel” from the SIEM Provider drop down and then click Save Changes.
   
   
   
5. In the “Add SIEM Integration” screen, complete the following:
   1. Enter the Workspace Name and Workspace ID you noted previously in Step 5 of Configure the Entra Log Analytics workspace.
      
      
   2. Enter the Primary Key you noted in Step 7 of Configure the Entra Log Analytics workspace for the “Shared Key.”
      
      
   3. Enter “beyondidentity” for the Log Type.
      
      
   4. From the Events drop down, “select all” events or select the events you are interested in. You can also include any future events as they are added.
      
      
   5. From the Threat Signals drop down, “select all” signals or select the threat signals you are interested in. You can also include any future threat signals as they are added.
      
      
   6. Click Test Configuration to confirm that a connection exists between Sentinel and Beyond Identity.
      
      
      
   7. Click Save Changes. Once SIEM configuration is complete in the Beyond Identity Admin console, you will be able to see the events in your Microsoft Sentinel. 

Verification in Microsoft Sentinel

You can verify that you are receiving events from Beyond Identity with a log search in Microsoft Sentinel.

1. Open the Entra portal and navigate to “Microsoft Sentinel.”
2. Click on the name of the Log Analytics workspace you created previously, such as “bi-siem-events.”
3. Close the “Queries” pop-up.
   
   
   
4. Enter this query in the query text box, and replace “BI_Tenant_events” with the log type value from the Admin console.
   
   BI_Tenant_events_CL | where actor_tenant_id_s contains_cs ""
   
   You should see the results in the results box. The query language used is KQL[Kusto query language. Refer to https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/