Microsoft Azure Sentinel

The Tenable integration for Microsoft Azure Sentinel combines Tenable's Cyber Exposure insights with Sentinel's collection, detection, and investigation capabilities. This integration supports Tenable.io and exports asset and vulnerability data from Tenable.io directly to Microsoft Sentinel.

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. For more information about Microsoft Sentinel, see the Microsoft documentation.

Required User Role: Administrator. For more information, see API Permissions.

Before you begin:

  • You must have a Logs Analytics Workspace with Microsoft Sentinel enabled in your Azure subscription.
  • For assistance with launching Microsoft Sentinel, see the Microsoft Sentinel quick start guide.

Configuration Steps

  1. Navigate to the Tenable App for Microsoft Sentinel on the Azure Marketplace and click Create.

    The Create Tenable App for Microsoft Sentinel page appears.

  2. Choose the Resource Group that contains your Logs Analytics Workspace with Microsoft Sentinel enabled, and select that Workspace from the dropdown list.
  3. Click Review + Create. This adds a Tenable.io Data Connector and two Parsers to your Microsoft Sentinel environment.
  4. Choose the supported account types for your environment.

  5. Navigate to Microsoft Sentinel and select Data Connectors. Search for "Tenable."

    Note: If Tenable App for Microsoft Sentinel is not listed on the Data connectors page, install the Tenable App from the Content hub (Preview) page after navigating to Microsoft Sentinel, and then repeat step 5.

  6. Click Open connector page on the Tenable.io data connector.

    The Data connectors page appears.

    7. Note: You will need the Azure Log Analytics Workspace ID and Workspace Key. The data connector installation page displays both values.

    Note: You will need Tenable.io API credentials. See Generate API Keys to retrieve those credentials.

  7. Read the included instructions on the data connector and click Deploy to Azure when you have the required credentials to deploy the data connector.

Deploying the data connector creates a storage account, an applications insight resource, and several Azure functions within your Azure subscription.

Note: You are responsible for any charges these resources incur.

  1. From the Custom deployment page, select a Resource Group and enter the required credentials.

    Tip: You can optionally configure the export schedule from Tenable.io. The value must be set in minutes and defaults to export assets and vulnerabilities from Tenable.io every 1440 minutes – meaning one export per 24 hour period.

  2. Click Review + create.

    Once the deployment succeeds, it can take up to an hour for the Data Connector to begin exporting data from Tenable.io.

  3. Microsoft Sentinel will change the data connector status to Connected once data begins to flow from Tenable.io to Microsoft Sentinel.

  4. Once the Tenable.io Data Connector is connected, navigate to the Queries resource within the data connector to see some sample queries to use for working with the exported data from Tenable.io.