Prerequisites

• An active Microsoft Sentinel subscription within a Log Analytics Workspace inside a Resource Group on Microsoft Azure
• A Next DLP Reveal tenant

Setup overview.

Deploy custom Template:

Initially, it is necessary to deploy the data connector. More details can be found On Microsoft's page.

However, the easiest way to do this is to use the Deploy Custom Template option within Azure.  Below are the steps to add the template:

1. Open the Deploy Custom Templatepage in the Azure portal: 
• From the global search, type 'Deploy a custom template' and select that option in the Services search results.
• Select the 'Build your own template in the editor' option.
  
  

2. From here, upload the JSON found at the bottom of this page using the Load File option.
3. Make some small changes to the loaded template:
• Under Parameters -> Workspace section at the top, add the name of the Logs Analytics Workspace to the defaultValue key. In the below example, the workspace name is 'next-siem'.

• To give the connector a specific name, update the title located in Resources -> Properties -> Title section:

4. Select Save.
5. Choose the subscription and resource group along with the Region. The workspace should be populated with the workspace name that was added to the template.
6. Select Review + Create.
7. The 'Custom Deployment' Summary page should be visible.  Review the selections and if things look correct, select Create.
   
   

The Custom Data Connector should be created at this point and will redirect to the Templates Overview page.  It is possible to continue setting up the resource from here in the next section.

Creating a SIEM Stream in Reveal:

Create a SIEM stream within the Reveal Console. The steps are described in the deployment guide however in short the steps are below:

1. Open the Reveal console and navigate to the Admin -> Event Streaming section.
2. Select Create New Stream.
3. Give the Stream a name and select the events to receive.
4. Select Create.
5. Gather two details from this page to configure the data connector in Sentinel:
• The Stream ID: is shown in the table after the stream was created.
• An Access Token: select the three dots to the right of the new stream and select Generate Access Token. Copy the token from here.
  
  

The access token will only be shown at this time.  If there are issues with the Access Token after this point,  re-generate the Token for use later and the previous token will no longer be valid.

Configuring the Data Connector in Sentinel:

At this stage, a Data Connector was created and a Reveal SIEM Stream was set up.  Now, tie the two together. The steps below will perform this task.

1. Navigate to the Data Connectors:

2. Open the newly created connector page:

3. From here, fill in the three text boxes with the values from the SIEM Stream configuration:

• The 'Tenant Name' should be the name of the ForiDLP Tenant.
• The Stream ID should be from the SIEM Configuration
• The API Key is the access token we generated.
  
  
4. Select Connect.
   
   

At this point, the stream should be connected and events should be received on the new Sentinel Data Connector.