Microsoft Azure Sentinel

The Tenable integration for Microsoft Azure Sentinel combines Tenable's Cyber Exposure insights with Sentinel's collection, detection, and investigation capabilities. This integration supports Tenable.io and exports asset and vulnerability data from Tenable.io directly to Azure Sentinel.

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. For more information about Azure Sentinel, see the Microsoft documentation.

Required User Role: Administrator. For more information, see API Permissions.

Before you begin:

Configuration Steps

  1. Navigate to the Tenable.io Sentinel Solution on the Azure Marketplace and click Create.

    The Create Tenable.io Sentinel Solution page appears.

  2. Choose the Resource Group that contains your Logs Analytics Workspace with Azure Sentinel enabled, and select that Workspace from the dropdown list.
  3. Click Review + Create. This adds a Tenable.io Data Connector and two Parsers to your Azure Sentinel environment.
  4. Choose the supported account types for your environment.

  5. Navigate to Azure Sentinel and select Data Connectors. Search for "Tenable."

  6. Click Open connector page on the Tenable.io data connector.

    The Data connectors page appears.

    7. Note: You will need the Azure Log Analytics Workspace ID and Workspace Key. The data connector installation page displays both values.

    Note: You will need Tenable.io API credentials. See Generate API Keys to retrieve those credentials.

  7. Read the included instructions on the data connector and click Deploy to Azure when you have the required credentials to deploy the data connector.

Deploying the data connector creates a storage account, an applications insight resource, and several Azure functions within your Azure subscription.

Note: You are responsible for any charges these resources incur.

  1. From the Custom deployment page, select a Resource Group and enter the required credentials.

    Tip: You can optionally configure the export schedule from Tenable.io. The value must be set in minutes and defaults to export assets and vulnerabilities from Tenable.io every 1440 minutes – meaning one export per 24 hour period.

  2. Click Review + create.

    Once the deployment succeeds, it can take up to an hour for the Data Connector to begin exporting data from Tenable.io.

  3. Azure Sentinel will change the data connector status to Connected once data begins to flow from Tenable.io to Azure Sentinel.

  4. Once the Tenable.io Data Connector is connected, navigate to the Queries resource within the data connector to see some sample queries to use for working with the exported data from Tenable.io.