# Azure Sentinel

Integrating [Azure Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/overview?tabs=defender-portal) with ilert enables your team to forward security alerts – such as anomalous sign-ins, policy violations, or threat detections – directly to on-call responders. These technical alerts can trigger automated escalations and provide rich context for incident response, helping your security team act on Sentinel’s analytics and investigations in real time.

## In ilert: Create an Azure Alerts alert source <a href="#in-ilert" id="in-ilert"></a>

1. Go to **Alert sources** --> **Alert sources** and click on **Create new alert source**

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2FjX0cS4q7woTXKajZmc1W%2FScreenshot%202023-08-28%20at%2010.21.10.png?alt=media&#x26;token=8ef3666b-84eb-4b51-abee-f07303313941" alt=""><figcaption></figcaption></figure>
2. Search for **Azure Alerts** in the search field, click on the Azure Alerts tile and click on **Next**.&#x20;

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2FlXzQlJpaTFSR49AZk0xA%2FScreenshot%202023-08-28%20at%2010.24.23.png?alt=media&#x26;token=cffeacb4-57b9-47d4-827d-b0f6b1afd914" alt=""><figcaption></figcaption></figure>
3. Give your alert source a name, optionally assign teams and click **Next**.
4. Select an **escalation policy** by creating a new one or assigning an existing one.

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2FNnuZqONaIhbOf6fn4OkZ%2FScreenshot%202023-08-28%20at%2011.37.47.png?alt=media&#x26;token=8a74f7b5-5bd2-4eea-97fa-1c1dbb041333" alt=""><figcaption></figcaption></figure>
5. Select you [Alert grouping](https://docs.ilert.com/alerting/configure-alerting/alert-sources#alert-grouping) preference and click **Continue setup**. You may click **Do not group alerts** for now and change it later.&#x20;

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2FueugN4JgHn1c90ggFA6u%2FScreenshot%202023-08-28%20at%2011.38.24.png?alt=media&#x26;token=b8009daf-3ca8-4264-a6fa-e42ef7333205" alt=""><figcaption></figcaption></figure>
6. The next page show additional settings such as customer alert templates or notification prioritiy. Click on **Finish setup** for now.
7. On the final page, an API key and / or webhook URL will be generated that you will need later in this guide.

   <figure><img src="https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M76ygPnS4HUcFSX8ulm%2Fuploads%2Fi3TIOBvNYBQfDtNpmm0A%2FScreenshot%202023-08-28%20at%2011.47.34.png?alt=media&#x26;token=6cae965a-e448-4443-8c20-37cf501c43b2" alt=""><figcaption></figcaption></figure>

## In Azure: Create a query <a href="#in-splunk" id="in-splunk"></a>

1. Go to [**Azure Portal**](https://portal.azure.com) and then to **Azure Sentinel.**

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUriMjBrPmPvJbiSycK%2F-MUrkgYVB1Y4TvM17DO_%2FHome_-_Microsoft_Azure.png?alt=media\&token=648cbdae-a92f-4d1d-b7ce-7ef393cb7ccb)

2. Create or choose a workspace, then go to **Logs** and create a query for which you’d like to create an alert.

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUriMjBrPmPvJbiSycK%2F-MUrkZ4l1T8RY53HpG8q%2FAzure_Sentinel_-_Microsoft_Azure.png?alt=media\&token=12228b4e-7ef3-4c56-b3fc-66f6de69ec18)

3. Click on the **New alert rule** button, then choose **Create Azure Monitor alert.**

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUrlFXOjGet6xbARVJs%2F-MUrmHcTmwbf4e6eyhlL%2FAzure_Sentinel_-_Microsoft_Azure.png?alt=media\&token=a3121b45-6d0f-4510-97ba-5599dec24e3e)

4. On the next page change the **Condition** for the alerts and click on the **Add action groups.**

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUrlFXOjGet6xbARVJs%2F-MUrnArxuIBth-xtOiIx%2FCreate_alert_rule_-_Microsoft_Azure.png?alt=media\&token=4d797016-316b-4677-93f4-48f75b733d58)

5. On the modal window click on the **Create action group** button.

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUro66ThS8tLq7t2y4f%2F-MUroIR22nPpqKNjAceP%2FSelect_an_action_group_to_attach_to_this_alert_rule_-_Microsoft_Azure.png?alt=media\&token=74e3858b-c883-4a7f-b56d-86be035f2bdd)

6. On the next page name the group e.g. **iLert** and click on the **Actions** tab.

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUro66ThS8tLq7t2y4f%2F-MUrpaGY9NNiq8PEzM78%2FCreate_action_group_-_Microsoft_Azure.png?alt=media\&token=1a108220-808e-4a8a-8a39-ac1bda08130d)

7. **\*\*On the** Actions **tab**, **click on the** Action type **and choose** Webhook.\*\*

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUro66ThS8tLq7t2y4f%2F-MUrqCJiRNSQkVsjALCP%2FCreate_action_group_-_Microsoft_Azure.png?alt=media\&token=f018a6ca-f9bd-4453-8369-47a426de4154)

8. **On the modal window** in the **URI** section and **\*\*paste the** Webhook URL **that you generated in ilert and click on** OK\*\*. Name the action e.g.\*\* ilert **and click on the** Review + create\*\* button.

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUro66ThS8tLq7t2y4f%2F-MUrrax7l3-GeQxTw7Q3%2FWebhook_-_Microsoft_Azure.png?alt=media\&token=c0e2b249-f735-40a8-911c-9273b2f26bb6)

9. On the next page click on the **Create** button.

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUro66ThS8tLq7t2y4f%2F-MUrrw7-QpgPl9zRzHt1%2FCreate_action_group_-_Microsoft_Azure.png?alt=media\&token=f99a5927-ead4-4b84-9c3e-aac5b6ad7bf2)

10. On the next page scroll down to the **Alert rule details** section, name the alert rule and click on the **Create alert rule** button.

![](https://3394882078-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M76ygPnS4HUcFSX8ulm%2F-MUro66ThS8tLq7t2y4f%2F-MUrsdZOTLv-qmeiCknV%2FCreate_alert_rule_-_Microsoft_Azure.png?alt=media\&token=06fcace5-4cbe-441d-82d1-08076284ee24)

11. Finished! Your Azure Sentinels alerts will now create alerts in ilert.

## FAQ <a href="#faq" id="faq"></a>

**Will alerts in ilert be resolved automatically?**

No, unfortunately Azure Sentinel alert do not fire resolve events.

**Can I connect Azure Sentinel with multiple alert sources from ilert?**

Yes, simply create more alert rules in Azure Alerts