Microsoft Sentinel Integration¶

Microsoft Sentinel integrates with Parapet Security through Azure Logic Apps. This guide covers the complete setup process.

Prerequisites¶

Microsoft Sentinel workspace
Azure subscription with Logic Apps access
Contributor role on the resource group
Your Parapet Security webhook URL and token

Quick Setup¶

Step 1: Get Your Parapet Credentials¶

Log in to app.parapetsecurity.com
Go to Settings → Service Tokens
Click Generate New Token
Save both:
- Webhook URL: https://webhook-{region}.parapetsecurity.com/webhook/{tenant-id}
- Service Token: pst_... (shown only once)

Step 2: Create Logic App¶

In Azure Portal, go to Create a resource → Logic App
Configure:

Field	Value
Name	parapet-security-integration
Region	Same as Sentinel workspace
Plan type	Consumption

Click Review + create → Create

Step 3: Configure Logic App Trigger¶

Open the Logic App Designer
Select When a HTTP request is received trigger
Use this JSON schema:

{
  "type": "object",
  "properties": {
    "SystemAlertId": { "type": "string" },
    "AlertType": { "type": "string" },
    "AlertName": { "type": "string" },
    "Severity": { "type": "string" },
    "ProviderName": { "type": "string" },
    "TimeGenerated": { "type": "string" },
    "Entities": { "type": "array" },
    "ExtendedProperties": { "type": "object" }
  }
}

Save and copy the HTTP POST URL

Step 4: Add HTTP Action¶

Click + New step
Search for HTTP
Configure the action:

Field	Value
Method	POST
URI	`https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID`
Headers	See below
Body	See below

Headers:

Authorization: Bearer pst_YOUR_TOKEN
Content-Type: application/json

Body:

{
  "source": "sentinel",
  "timestamp": "@{triggerBody()['TimeGenerated']}",
  "alert": {
    "id": "@{triggerBody()['SystemAlertId']}",
    "name": "@{triggerBody()['AlertName']}",
    "type": "@{triggerBody()['AlertType']}",
    "severity": "@{triggerBody()['Severity']}",
    "provider": "@{triggerBody()['ProviderName']}"
  },
  "entities": @{triggerBody()['Entities']},
  "properties": @{triggerBody()['ExtendedProperties']}
}

Save the Logic App

Step 5: Create Automation Rule in Sentinel¶

Go to Microsoft Sentinel → your workspace
Navigate to Automation → Create → Automation rule
Configure:

Field	Value
Name	Forward alerts to Parapet Security
Trigger	When alert is created
Conditions	(Optional) Filter by severity
Actions	Run playbook → Select your Logic App

Click Apply

Alternative: Analytics Rule Action¶

You can also attach Logic Apps directly to Analytics rules:

Go to Analytics → Select a rule → Edit
Navigate to Automated response tab
Under Alert automation, click + Add new
Select your Parapet Security Logic App
Save the rule

Configuration Options¶

Filtering by Severity¶

In your Automation Rule, add conditions:

Severity is equal to High
OR
Severity is equal to Critical

Including Incident Context¶

If you want incident data (multiple alerts grouped):

{
  "source": "sentinel",
  "timestamp": "@{triggerBody()['TimeGenerated']}",
  "incident": {
    "id": "@{triggerBody()['IncidentNumber']}",
    "title": "@{triggerBody()['Title']}",
    "severity": "@{triggerBody()['Severity']}",
    "status": "@{triggerBody()['Status']}",
    "owner": "@{triggerBody()['Owner']?['assignedTo']}"
  },
  "alerts": "@{triggerBody()['Alerts']}",
  "entities": "@{triggerBody()['Entities']}"
}

Entity Enrichment¶

Include detailed entity information:

{
  "source": "sentinel",
  "timestamp": "@{triggerBody()['TimeGenerated']}",
  "alert": {
    "id": "@{triggerBody()['SystemAlertId']}",
    "name": "@{triggerBody()['AlertName']}",
    "severity": "@{triggerBody()['Severity']}"
  },
  "entities": {
    "accounts": "@{json(coalesce(triggerBody()?['Entities'], '[]'))?[?@.Kind == 'Account']}",
    "hosts": "@{json(coalesce(triggerBody()?['Entities'], '[]'))?[?@.Kind == 'Host']}",
    "ips": "@{json(coalesce(triggerBody()?['Entities'], '[]'))?[?@.Kind == 'Ip']}",
    "files": "@{json(coalesce(triggerBody()?['Entities'], '[]'))?[?@.Kind == 'File']}"
  }
}

Sample Alert Payload¶

Here's what Sentinel sends to Parapet Security:

{
  "source": "sentinel",
  "timestamp": "2026-01-28T15:30:00.000Z",
  "alert": {
    "id": "12345678-1234-1234-1234-123456789012",
    "name": "Suspicious PowerShell command line",
    "type": "Scheduled",
    "severity": "High",
    "provider": "Azure Sentinel"
  },
  "entities": [
    {
      "Kind": "Host",
      "HostName": "workstation-01",
      "OSFamily": "Windows"
    },
    {
      "Kind": "Account",
      "Name": "jsmith",
      "NTDomain": "CORP"
    },
    {
      "Kind": "Ip",
      "Address": "192.168.1.50"
    }
  ],
  "properties": {
    "Command": "powershell -enc SQBFAFgA...",
    "ProcessId": "4532"
  }
}

Parapet Security's AI normalizes this to extract:

Severity: High (from Sentinel severity)
Category: Endpoint/Execution
Host: workstation-01
User: CORP\jsmith
Command: Decoded PowerShell command

Managed Identity Setup (Recommended)¶

For production, use Managed Identity instead of tokens:

Step 1: Enable Managed Identity¶

Open your Logic App
Go to Identity → System assigned
Set Status to On
Save

Step 2: Create Azure Key Vault¶

Create a Key Vault in your subscription
Add a secret named ParapetSecurityToken with your token value

Step 3: Grant Access¶

In Key Vault, go to Access policies
Add your Logic App's managed identity
Grant Get permission on secrets

Step 4: Update Logic App¶

Replace the hardcoded token with a Key Vault reference:

@listSecrets(variables('keyVaultSecretUri'), '2019-09-01').value

Troubleshooting¶

Logic App Not Triggering¶

Check Automation Rule status: Sentinel → Automation → Verify rule is enabled
Verify permissions: Logic App needs "Microsoft Sentinel Responder" role
Review run history: Logic App → Overview → Run history

HTTP Action Failing¶

Check response code: Look for 401 (bad token), 400 (bad payload), or 500 (server error)
Verify URL format: Ensure no trailing slash and correct tenant ID

Test with curl:

curl -X POST "https://webhook-us.parapetsecurity.com/webhook/YOUR-TENANT-ID" \
  -H "Authorization: Bearer pst_YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"source": "sentinel", "test": true}'

Missing Entity Data¶

Check entity mapping: Analytics rule → Entity mapping must be configured
Verify JSON expressions: Use Logic App expression tester to debug

Rate Limiting¶

If you see 429 errors:

Add retry policy to HTTP action
Add delay between calls for batch incidents
Consider upgrading Parapet Security plan

Cost Optimization¶

Logic Apps charge per action execution:

Scenario	Monthly Cost
100 alerts/day	~$3/month
1,000 alerts/day	~$30/month
10,000 alerts/day	~$300/month

To reduce costs:

Filter alerts in Automation Rules before triggering
Use batching for non-critical alerts
Consider Standard plan for high volumes

Next Steps¶

Configure Slack notifications for real-time alerts
Set up alert filters to focus on what matters
Understand AI triage results