thehive-sentinel-incident is a Python script created to pull Azure Sentinel incidents into TheHive as alerts. It queries the Azure Sentinel API for new incidents and gets the alert entities from the Azure Sentinel Log Analytics workspace to be created as TheHive observables.
An Azure app registration (service principle) is required to query the Azure Sentinel API and the Azure Log analytics workspace.
See the Azure documentation to create a service principle: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
The app registration (service principle) should have the following permissions on the Azure Log Analytics workspace with Azure Sentinel enabled:
- Sentinel Contributor
- Log Analytics Contributor
thehive-sentinel-incidents is configured in the file sentinel.ini.
[TheHive]
apiKey =
server = http://localhost:9000
[Azure]
tenantId =
subscriptionId =
clientId =
clientSecret =
resourceGroupName =
workspaceName =
workspaceId =
The API key of a TheHive user with the following permissions:
- Read/Write role
- Allow alerts creation
The URL and port for connecting to TheHive.
The id of the Azure tenant containing the Azure Log Analytics workspace with Azure Sentinel enabled.
The id of the Azure subscription containing the Azure Log Analytics workspace with Azure Sentinel enabled.
The client id of the Azure service principle.
The client secret of the Azure service principle.
The name of the resource group containing the Azure Log Analytics workspace with Azure Sentinel enabled.
The name of the Azure Log Analytics workspace with Azure Sentinel enabled.
The ID of the Azure Log Analytics workspace with Azure Sentinel enabled.
To periodically run thehive-sentinel-incidents, use a cron job:
*/5 * * * * python3 /opt/thehive-sentinel-incident/thehivesentinelincidents.py >> /var/log/thehivesentinelincidents.log 2>&1To deploy a TheHive/Cortex instance with thehive-sentinel-incidents preconfigured, you can use the ansible-thehive Ansible role available on the NVISO GitHub.